Cybersecurity researchers have discovered the real-world identity of the threat actor behind Golden Chickens malware-as-a-service, who goes by the online persona “badbullzvenom.”
eSentire’s Threat Response Unit (TRU), in an exhaustive report published following a 16-month-long investigation, said it “found multiple mentions of the badbullzvenom account being shared between two people.”
The second threat actor, known as Frapstar, is said to identify themselves as “Chuck from Montreal,” enabling the cybersecurity firm to piece together the criminal actor’s digital footprint.
This includes his real name, pictures, home address, the names of his parents, siblings, and friends, along with his social media accounts and his interests. He is also said to be the sole proprietor of a small business that’s run from his own home.
Golden Chickens, also known as Venom Spider, is a malware-as-a-service (MaaS) provider that’s linked to a variety of tools such as Taurus Builder, software to create malicious documents; and More_eggs, a JavaScript downloader that’s used to serve additional payloads.
The threat actor’s cyber arsenal has been put to use by other prominent cybercriminal groups like Cobalt Group (aka Cobalt Gang), Evilnum, and FIN6, all of which are estimated to have collectively caused losses totaling $1.5 billion.
Past More_eggs campaigns, some dating back to 2017, have involved spear-phishing business professionals on LinkedIn with bogus job offers that give threat actors remote control over the victim’s machine, leveraging it to harvest information or deploy more malware.
Last year, in a reversal of sorts, the same tactics were employed to strike corporate hiring managers with resumes laden with malware as an infection vector.
The earliest documented record of Frapster’s activity goes back to May 2015, when Trend Micro described the individual as a “lone criminal” and a luxury car enthusiast.
“‘Chuck,’ who uses multiple aliases for his underground forum, social media, and Jabber accounts, and the threat actor claiming to be from Moldova, have gone to great lengths to disguise themselves,” eSentire researchers Joe Stewart and Keegan Keplinger said.
“They have also taken great pains to obfuscate the Golden Chickens malware, trying to make it undetectable by most AV companies, and limiting customers to using Golden Chickens for ONLY targeted attacks.”
It’s suspected that Chuck is one of the two threat actors operating the badbullzvenom account on the Exploit.in underground forum, with the other party possibly located in Moldova or Romania, eSentire noted.
The Canadian cybersecurity company said it further uncovered a new attack campaign targeting e-commerce companies, tricking recruiters into downloading a rogue Windows shortcut file from a website that masquerades as a resume.
The shortcut, a malware dubbed VenomLNK, serves as an initial access vector to drop More_eggs or TerraLoader, which subsequently acts as a conduit to deploy different modules, namely TerraRecon (for victim profiling), TerraStealer (for information theft), and TerraCrypt (for ransomware extortion).
“The malware suite is still actively being developed and is being and sold to other threat actors,” the researchers concluded, urging organizations to be on the lookout for potential phishing attempts.
