The identity of the second threat actor behind the Golden Chickens malware has been uncovered courtesy of a fatal operational security blunder, cybersecurity firm eSentire said.
The individual in question, who lives in Bucharest, Romania, has been given the codename Jack. He is one of the two criminals operating an account on the Russian-language Exploit.in forum under the name “badbullzvenom,” the other being “Chuck from Montreal.”
eSentire characterized Jack as the true mastermind behind Golden Chickens. Evidence unearthed by the Canadian company shows that he is also listed as the owner of a vegetable and fruit import and export business.
“Like ‘Chuck from Montreal,’ ‘Jack’ uses multiple aliases for the underground forums, social media, and Jabber accounts, and he too has gone to great lengths to disguise himself,” eSentire researchers Joe Stewart and Keegan Keplinger said.
“‘Jack’ has taken great pains to obfuscate the Golden Chickens malware, trying to make it undetectable by most [antivirus] companies, and strictly allowing only a small number of customers to buy access to the Golden Chickens MaaS.”
Golden Chickens (aka More_eggs) is a malware suite used by financially-motivated cybercrime actors such as Cobalt Group and FIN6. The threat actors behind the malware, also known as Venom Spider, operate under a malware-as-a-service (MaaS) model.
Jack’s online activities, according to eSentire, go all the way back to 2008, when he was just 15 years old and signed up for various cybercrime forums as a novice member. All his aliases are being collectively tracked as LUCKY.
The investigation, in putting together his digital trail, traces Jack’s progression from a teenager interested in building malicious programs to a longtime hacker involved in developing password stealers, crypters, and More_eggs.
Some of the earliest malware tools developed by Jack in 2008 consisted of Voyer, which is capable of harvesting a user’s Yahoo instant messages, and an information stealer christened FlyCatcher that can record keystrokes.
A year later, Jack released a new password stealer dubbed CON that’s designed to siphon credentials from different web browsers, VPN, and FTP applications as well as now-defunct messaging apps like MSN Messenger and Yahoo! Messenger.
Jack, later that same year, began advertising a crypter referred to as GHOST to help other actors encrypt and obfuscate malware with the goal of evading detection. The unexpected demise of his father in a car accident is believed to have caused him to pause development of the tool in 2010.
Fast forward to 2012, Jack began to gain a reputation in the cybercriminal community as a scammer for failing to provide adequate support to customers purchasing the product from him.
He also cited “big life problems” in a forum post on April 27, 2012, stating he is contemplating moving to Pakistan to work for the government as a security specialist and that one among his crypter customers “works at pakistan guv” [read government].
It’s not immediately clear if Jack ended up going to Pakistan, but eSentire said it spotted tactical overlaps between a 2019 campaign conducted by a Pakistani threat actor known as SideCopy and Jack’s VenomLNK malware, which functions as the initial access vector for the More_eggs backdoor.
Jack is suspected to have crossed paths with “Chuck from Montreal” sometime between late 2012 and October 4, 2013, the date on which a message was posted from Chuck’s badbullz account on the Lampeduza forum containing contact information – a Jabber address – associated with LUCKY.
It’s speculated that Jack brokered a deal with Chuck that would allow him to post under Chuck’s aliases “badbullz” and “badbullzvenom” on various underground forums as a way to get around his notoriety as a ripper.
Lending credence to this hypothesis is the fact that one of LUCKY’s new tools, a kit for building macros called MULTIPLIER, was released in 2015 via the badbullzvenom account, while the threat actor behind the LUCKY account ceased posting through that handle.
“By using the badbullzvenom and badbullz accounts, and unbeknownst to forum members, he is essentially starting with a clean slate, and he can continue to build his credibility under the account aliases: badbullz and badbullzvenom,” the researcher explained.
Subsequently in 2017, badbullzvenom (aka LUCKY) released a separate tool called VenomKit, which has since evolved into the Golden Chickens MaaS. The malware’s ability to evade detection also caught the attention of Cobalt Group, a Russia-based cybercrime gang that leveraged it to deploy Cobalt Strike in attacks aimed at financial entities.
Two years later, another financially motivated threat actor labeled FIN6 (aka ITG08 or Skeleton Spider) was observed using the Golden Chickens service to anchor its intrusions targeting point-of-sale (POS) machines used by retailers in Europe and the U.S.
The cybersecurity firm said it also found the identities of his wife, mother, and two sisters. He and his wife are said to reside in an upscale part of Bucharest, with his wife’s social media accounts documenting their trips to cities like London, Paris, and Milan. The photos further show them wearing designer clothing and accessories.
“The threat actor who went by the alias LUCKY and who also shares the badbullz and badbullzvenom accounts with the Montreal-based cybercriminal ‘Chuck,’ made his fatal mistake when he used the Jabber account,” the researchers said.