New Research Uncovers Threat Actor Behind Infamous Golden Chickens Malware-as-a-Service

The identity of the individual behind the Golden Chickens malware-as-a-service has been uncovered by cybersecurity experts. The perpetrator, known online as “badbullzvenom,” has been identified in the real world.

An extensive 16-month investigation by eSentire’s Threat Response Unit revealed that the badbullzvenom account was linked to multiple individuals, as outlined in the unit’s recently published report.

By identifying themselves as “Chuck from Montreal,” the individual known as Frapstar left a digital trail that allowed the cybersecurity firm to piece together its identity.

This includes the following information:-

• Real name
• Pictures
• Home address
• Names of his parents
• Siblings
• Friends
• Social media accounts
• His interests

Tools Used by Threat Actors

The Golden Chickens (aka Venom Spider) platform is a MaaS provider that integrates with a number of tools such as the following:-

• Taurus Builder
• More_eggs
• VenomLNK
• TerraLoader
• TerraRecon
• TerraStealer
• TerraTV
• TerraPreter
• TerraCrypt

As per the report, the cyber tools of this threat actor have been utilized by various prominent cybercrime groups, causing a combined estimated loss of $1.5 billion.

Here below we have mentioned the group names that are involved:-

• Cobalt Group (aka Cobalt Gang)
• Evilnum
• FIN6

The connection Between badbullzvenom and Frapstar

In order to connect the different forum accounts associated with the Golden Chickens MaaS, the TRU team conducted a thorough analysis of various security reports through Open Source Intelligence (OSINT). 

They discovered a 2015 Trend Micro report named, “Attack of the Solo Cybercriminals – Frapstar in Canada,” which identified the threat actor as a lone carder, who monetizes stolen credit cards and has multiple aliases and accounts on multiple hacker forums, one of them being badbullzvenom.

Here are some of the key details about the threat actor known as Frapstar:-

• They have a particular interest in procuring Canadian credit card accounts that have been compromised.
• They own a BMW 5 Series automobile, and it is an E39 540i model.
• The usernames they use on various forums are Badbullzvenom, Badbullz, Frapstar, Ksensei21, and E39_Frap* (i.e., E39_Frapstar).

In a change of strategy, the same tactics were used last year to target corporate hiring managers by sending resumes with malware as a way to infect their systems.

The individual known as ‘Chuck,’ who utilizes various aliases for his underground forum, social media, and Jabber accounts, and the threat actor who claims to be from Moldova, have taken significant measures to conceal their true identities.

The developers of Golden Chickens malware have put a great deal of effort into making it evasive to detection by the majority of AV companies, and have restricted the use of the malware to only targeted attacks.

It is believed that Chuck is one of the two individuals who control the badbullzvenom account on the Exploit[.]in the underground forum. The location of the other party is yet to be determined but could be from:-

• Moldova
• Romania

Recommendations

Here below we have mentioned the recommendations offered by the cybersecurity analysts:-

• Ensure that the endpoints are monitored exhaustively.
• Be sure to inform employees about common phishing tactics in order to avoid falling victim to them.
• In order to tackle phishing and suspicious behavior, it is important to have an easy process in place for reporting it.
• Take advantage of Managed Detection and Response services which will allow you to monitor your security 24 hours a day.

Network Security Checklist – Download Free E-Book