Researchers from cybersecurity firm eSentire exposed the identity of a second developer behind Golden Chickens (More_Eggs), a Malware-as-a-Service (MaaS) used by several financial crime groups - Russia-based FIN6, Evilnum and Cobalt Group, causing losses totaling more than $1.5 billion.

Also known as Venom Spider, Golden Chickens provides Malware-as-a-Service through a variety of tools, such as Taurus Builder, which creates malicious documents, and the More_eggs backdoor, which serves additional payloads via JavaScript. The malware has been primarily used to steal banking information and credit card data, targeting the online payment systems of organizations in the accounting, aviation, insurance, legal, energy, and food industries.

In August 2022, eSentire revealed the real-world identity of one of the operators behind Golden Chickens known as ‘badbullzvenom’ and ‘Chuck from Montreal’, a Moldavian national living in Canada.

Now, the company released a follow-up report exposing the second Golden Chickens’ operator the researchers identify as ‘Jack.’ He is the second criminal operating an account on the Russian-language Exploit.in forum under the name “badbullzvenom.”

“Like “Chuck from Montreal”, ‘Jack’ uses multiple aliases for the underground forums, social media, and Jabber accounts, and he too has gone to great lengths to disguise himself. ‘Jack’ has taken great pains to obfuscate the Golden Chickens malware, trying to make it undetectable by most AV companies, and strictly allowing only a small number of customers to buy access to the Golden Chickens MaaS,” the researchers said.

Jack, who was born in a small Romanian town called Mizil, is believed to be the mastermind behind the Golden Chickens operation, which he launched in 2017.

He has been engaging in malware development since 2008, when he was 15 years old, starting from password stealers and then moving to cryptors. He also created a malicious document builder that he improved with a JavaScript backdoor and a password stealer.

Between 2007 and 2008, Jack, who was using alias ‘Lucky,’ released a malware tool called ‘Voyer’, designed to steal a victim’s Yahoo instant messages. In the following years he released several malware tools: the FlyCatcher keylogger, the Con password stealer, and a cryptor named Ghost.

Over the years ‘Jack’ gained reputation as a ripper and scammer. On July 18, 2022, a threat actor going by “babay” went on Exploit.in and accused badbullzvenom of stealing $1 million from him. Consequently, babay issued a $200,000 bounty for any information leading to badbullzvenom’s real identity.

According to the researchers, Lucky met ‘Chuck from Montreal’ on an underground forum around 2013, and made a deal with Chuck that the latter would allow him to use “badbullz” and “badbullzvenom” on a number of forums.

“The threat actor who went by the alias Lucky and who also shares the badbullz and badbullzvenom accounts with the Montreal-based cybercriminal “Chuck,” made his fatal mistake when he used the jabber account. It was this jabber ID which led TRU to discover the Lucky account and subsequently the real threat actor behind Lucky and partner to “Chuck from Montreal,” the researchers said.