Wednesday, December 6, 2023

New Research Uncovers Threat Actor Behind Infamous Golden Chickens Malware-as-a-Service

The identity of the individual behind the Golden Chickens malware-as-a-service has been uncovered by cybersecurity experts. The perpetrator, known online as “badbullzvenom,” has been identified in the real world.

An extensive 16-month investigation by eSentire’s Threat Response Unit revealed that the badbullzvenom account was linked to multiple individuals, as outlined in the unit’s recently published report.

By identifying themselves as “Chuck from Montreal,” the individual known as Frapstar left a digital trail that allowed the cybersecurity firm to piece together its identity.

This includes the following information:-

  • Real name
  • Pictures
  • Home address
  • Names of his parents
  • Siblings
  • Friends
  • Social media accounts
  • His interests

Tools Used by Threat Actors

The Golden Chickens (aka Venom Spider) platform is a MaaS provider that integrates with a number of tools such as the following:-

  • Taurus Builder
  • More_eggs
  • VenomLNK
  • TerraLoader
  • TerraRecon
  • TerraStealer
  • TerraTV
  • TerraPreter
  • TerraCrypt

As per the report, the cyber tools of this threat actor have been utilized by various prominent cybercrime groups, causing a combined estimated loss of $1.5 billion.

Here below we have mentioned the group names that are involved:-

  • Cobalt Group (aka Cobalt Gang)
  • Evilnum
  • FIN6

The connection Between badbullzvenom and Frapstar

In order to connect the different forum accounts associated with the Golden Chickens MaaS, the TRU team conducted a thorough analysis of various security reports through Open Source Intelligence (OSINT). 

They discovered a 2015 Trend Micro report named, “Attack of the Solo Cybercriminals – Frapstar in Canada,” which identified the threat actor as a lone carder, who monetizes stolen credit cards and has multiple aliases and accounts on multiple hacker forums, one of them being badbullzvenom.

Here are some of the key details about the threat actor known as Frapstar:-

  • They have a particular interest in procuring Canadian credit card accounts that have been compromised.
  • They own a BMW 5 Series automobile, and it is an E39 540i model.
  • The usernames they use on various forums are Badbullzvenom, Badbullz, Frapstar, Ksensei21, and E39_Frap* (i.e., E39_Frapstar).

In a change of strategy, the same tactics were used last year to target corporate hiring managers by sending resumes with malware as a way to infect their systems.

The individual known as ‘Chuck,’ who utilizes various aliases for his underground forum, social media, and Jabber accounts, and the threat actor who claims to be from Moldova, have taken significant measures to conceal their true identities.

The developers of Golden Chickens malware have put a great deal of effort into making it evasive to detection by the majority of AV companies, and have restricted the use of the malware to only targeted attacks.

It is believed that Chuck is one of the two individuals who control the badbullzvenom account on the Exploit[.]in the underground forum. The location of the other party is yet to be determined but could be from:-

  • Moldova 
  • Romania


Here below we have mentioned the recommendations offered by the cybersecurity analysts:-

  • Ensure that the endpoints are monitored exhaustively.
  • Be sure to inform employees about common phishing tactics in order to avoid falling victim to them.
  • In order to tackle phishing and suspicious behavior, it is important to have an easy process in place for reporting it.
  • Take advantage of Managed Detection and Response services which will allow you to monitor your security 24 hours a day.

Network Security Checklist – Download Free E-Book


Latest articles

BlueNoroff: New Malware Attacking MacOS Users

Researchers have uncovered a new Trojan-attacking macOS user that is associated with the BlueNoroff APT...

Serpent Stealer Acquires Browser Passwords and Erases Intrusion Logs

Beneath the surface of the cyber realm, a silent menace emerges—crafted with the precision...

Doppelgänger: Hackers Employ AI to Launch Highly sophistication Attacks

It has been observed that threat actors are using AI technology to conduct illicit...

Kali Linux 2023.4 Released – What’s New!

Kali Linux 2023.4, the latest version of Offensive Security's renowned operating system, has been...

Trickbot Malware Developer Pleads Guilty & Faces 35 Years in Prison

A 40-year-old Russian national, Vladimir Dunaev, pleaded guilty for developing and deploying Trickbot malware....

ICANN Launches RDRS to Assist Law Enforcement Agencies to Discover Private Info

ICANN is a non-profit organization that is responsible for coordinating the global internet's-DNSIP address...

Hackers Use Weaponized Documents to Attack U.S. Aerospace Industry

An American aerospace company has been the target of a commercial cyberespionage campaign dubbed...

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles