22 May 2023

Researchers identify second developer behind Golden Chickens MaaS


Researchers identify second developer behind Golden Chickens MaaS

Researchers from cybersecurity firm eSentire exposed the identity of a second developer behind Golden Chickens (More_Eggs), a Malware-as-a-Service (MaaS) used by several financial crime groups - Russia-based FIN6, Evilnum and Cobalt Group, causing losses totaling more than $1.5 billion.

Also known as Venom Spider, Golden Chickens provides Malware-as-a-Service through a variety of tools, such as Taurus Builder, which creates malicious documents, and the More_eggs backdoor, which serves additional payloads via JavaScript. The malware has been primarily used to steal banking information and credit card data, targeting the online payment systems of organizations in the accounting, aviation, insurance, legal, energy, and food industries.

In August 2022, eSentire revealed the real-world identity of one of the operators behind Golden Chickens known as ‘badbullzvenom’ and ‘Chuck from Montreal’, a Moldavian national living in Canada.

Now, the company released a follow-up report exposing the second Golden Chickens’ operator the researchers identify as ‘Jack.’ He is the second criminal operating an account on the Russian-language Exploit.in forum under the name “badbullzvenom.”

“Like “Chuck from Montreal”, ‘Jack’ uses multiple aliases for the underground forums, social media, and Jabber accounts, and he too has gone to great lengths to disguise himself. ‘Jack’ has taken great pains to obfuscate the Golden Chickens malware, trying to make it undetectable by most AV companies, and strictly allowing only a small number of customers to buy access to the Golden Chickens MaaS,” the researchers said.

Jack, who was born in a small Romanian town called Mizil, is believed to be the mastermind behind the Golden Chickens operation, which he launched in 2017.

He has been engaging in malware development since 2008, when he was 15 years old, starting from password stealers and then moving to cryptors. He also created a malicious document builder that he improved with a JavaScript backdoor and a password stealer.

Between 2007 and 2008, Jack, who was using alias ‘Lucky,’ released a malware tool called ‘Voyer’, designed to steal a victim’s Yahoo instant messages. In the following years he released several malware tools: the FlyCatcher keylogger, the Con password stealer, and a cryptor named Ghost.

Over the years ‘Jack’ gained reputation as a ripper and scammer. On July 18, 2022, a threat actor going by “babay” went on Exploit.in and accused badbullzvenom of stealing $1 million from him. Consequently, babay issued a $200,000 bounty for any information leading to badbullzvenom’s real identity.

According to the researchers, Lucky met ‘Chuck from Montreal’ on an underground forum around 2013, and made a deal with Chuck that the latter would allow him to use “badbullz” and “badbullzvenom” on a number of forums.

“The threat actor who went by the alias Lucky and who also shares the badbullz and badbullzvenom accounts with the Montreal-based cybercriminal “Chuck,” made his fatal mistake when he used the jabber account. It was this jabber ID which led TRU to discover the Lucky account and subsequently the real threat actor behind Lucky and partner to “Chuck from Montreal,” the researchers said.


Back to the list

Latest Posts

Daggerfly APT targets Taiwanese orgs and US NGO in China with upgraded malware arsenal

Daggerfly APT targets Taiwanese orgs and US NGO in China with upgraded malware arsenal

The attackers exploited a bug in an Apache HTTP server to deliver the MgBot malware.
23 July 2024
New FrostyGoop ICS malware left over 600 apartment buildings in Ukraine without heat

New FrostyGoop ICS malware left over 600 apartment buildings in Ukraine without heat

The attackers likely gained access through a vulnerability in an externally facing Mikrotik router.
23 July 2024
NCA infiltrates, disrupts Digitalstress DDoS-for-Hire service

NCA infiltrates, disrupts Digitalstress DDoS-for-Hire service

The crackdown follows the arrest of one of the site's suspected admins earlier this month.
23 July 2024