One of the threat actors behind the Golden Chickens malware suite said to be favoured by three major Russian criminal cyber gangs lives in Montreal, according to an investigation by a Canadian-based managed security services firm.
The claim was made Thursday by researchers at eSentire following a 16-month investigation into the person behind posts on a number of hacker forums and social media sites where “Chuck in Montreal” may have made some slips — including mentioning his love for BMWs.
The report doesn’t name the man. But eSentire’s threat response unit says it knows “Chuck’s” real name, has pictures of him, his home address, the names of his parents, siblings, and friends; his social media accounts, his hobbies, and that he owns a small business which he runs out of his home. He also has a keen interest in buying stolen Canadian credit card accounts, the researchers say.
Their work has been turned over to police, though the report doesn’t say which force.
In addition to being an interesting example of how to use publicly-available threat intelligence and sleuthing, the report includes indicators of compromise and techniques used by major threat groups that IT security teams can leverage.
The researchers also allege police missed an opportunity years ago when Trend Micro published a report in 2015 about a threat actor using the names “Frapstar” and “badbullzvenom.” eSentire believes Frapstar is “Chuck” and shares the badbullzvenom account with another operator of Golden Chickens. That person claims to be from Moldova.
The 2015 Trend Micro report “provided solid intelligence about this threat actor, giving law enforcement a real chance of identifying and potentially arresting badbullzvenom when he was still a minor player on the cybercrime scene,” says eSentire.
“Instead, he has had seven years to hone his skills, and from our findings, we see that he has continued to get better at developing malware and obfuscating it. Badbullzvenom is very stealthy, and he goes to extremes to keep his malware fully undetectable (FUD) by anti-virus, trying to make sure that samples of Golden Chickens are not uploaded to Virus Total. Badbullzvenom also insists that his clients only use his malware in very “targeted” attacks to further ensure that he and his malicious software fly under the radar. We believe the case of the Golden Chickens operator is a stark example of what can happen if a threat actor, who is considered “low hanging fruit,” is ignored by law enforcement.”
It isn’t known if police ignored the report.
eSentire says Golden Chickens is the “cyber weapon of choice” for three of the top money making and longest-running Internet crime groups: Russia-based FIN6 and Cobalt Group, and Belarus-based Evilnum. The three are estimated to have collectively caused financial losses over US$1.5 billion, the researchers say.
Since 2018, the Golden Chickens suite has been distributed as Malware-as-a-Service (MaaS), the report says. Between April 2021 and April of this year, the researchers discovered two significant hacking campaigns utilizing Golden Chickens. During the April 2021 incidents, corporate employees on LinkedIn were targeted with fake job offers. One year later, the attack tactics were reversed, with corporate hiring managers sent fake resumes of job applicants, laden with malware.
There is compelling evidence that the threat actor detailed in the report is one of possibly two operators behind the badbullzvenom account on the hacker forum Exploit.in, says eSentire.
“Interestingly,” it adds, “as of July 2022, all of badbullzvenom’s posts on Exploit.in have been purged from the forum.” That could be because a threat actor calling themselves “babay” went on to Exploit.in and accused badbullzvenom of stealing $1 million from him. Babay has issued a $200,000 bounty for any information leading to badbullzvenom’s real identity.
On the other hand, eSentire continues to see improvements in the Golden Chickens source code and new Golden Chickens attack campaigns. “That tells us that the malware suite is still actively being developed and is being sold to other threat actors,” the report says.
eSentire recommends IT security leaders use exhaustive endpoint monitoring for LOLBINs, also known as Trusted Windows Binary abuse. LOLBINs of interest include cmd.exe, wscript.exe, wmic.exe, cmstp.exe, msxsl.exe, powershell.exe, and ie4uinit.exe. Ensure endpoint products have rules in place to detect suspicious usage of these Windows processes, the report says.