The identity of the second attacker behind golden chicken According to cybersecurity firm eSentire, the malware was discovered due to a fatal operational security mistake.
The person in question lives in Bucharest, Romania and is known to be codenamed Jack. He is one of his two criminals who runs an account under the name “badbullzvenom” on his Exploit.in forum in Russian, and the other is “Montreal’s It’s Chuck.
eSentire characterized Jack as the true mastermind behind Golden Chicken. He is also listed as the owner of a vegetable and fruit import-export business, according to evidence unearthed by a Canadian company.
“Like ‘Chuck of Montreal’, ‘Jack’ uses multiple aliases on underground forums, social media and Jabber accounts, and he also goes to great lengths to disguise himself. said eSentire researchers Joe Stewart and Keegan Koeplinger.
“‘Jack’ put a lot of effort into obfuscating the Golden Chicken malware, trying to make it undetectable by most people.” [antivirus] It is aimed at enterprises and strictly allows only a small number of customers to purchase access to Golden Chickens MaaS. ”
Golden Chickens (aka More_eggs) is a malware suite used by financially motivated cybercriminals such as Cobalt Group and FIN6. The attackers behind the malware, also known as Venom Spider, operate under a Malware as a Service (MaaS) model.
This JavaScript malware is distributed through phishing campaigns and comes with several components to gather financial information, perform lateral movement, and even drop a ransomware plugin for PureLocker called TerraCrypt.
According to eSentire, Jack’s online activity dates back to 2008. He was just 15 years old at the time and was a novice member of various cybercrime forums. All his aliases are tracked together as LUCKY.
The investigation will compile Jack’s digital trail, tracing Jack’s rise from a teenager interested in building malicious programs to a longtime hacker working on password stealers, crypters, and More_eggs.
Early malware tools Jack developed in 2008 included Voyer, which could collect users’ Yahoo instant messages, and an information stealer called FlyCatcher, which could record keystrokes.
A year later, Jack released a new password stealer called CON. This password stealer is designed to siphon credentials from various web browsers, VPNs, FTP applications and even now-defunct messaging apps like his MSN Messenger and Yahoo!. Messenger.
Later that same year, Jack began promoting a crypter called GHOST that helped other attackers encrypt and obfuscate malware with the goal of evading detection. It is believed that development of the tool was put on hold in 2010 after his father suddenly died in a car accident.
Way back in 2012, Jack began to earn a reputation as a fraudster within the cybercrime community for failing to provide adequate support to customers who purchased his products.
He also said in a forum post on April 27, 2012, that he was considering moving to Pakistan to work as a security expert in the government, referring to one of Crypta’s customers. A person said, “I work for the Pakistani guv.” [read government].
Zero Trust + Deception: Learn How to Outsmart Attackers!
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
Reserve your seat!
It’s not immediately clear if Jack ended up going to Pakistan, but eSentire has confirmed that the 2019 campaign conducted by Pakistani attackers known as SideCopy and the first to the More_eggs backdoor. He said he found a tactical overlap with Jack’s VenomLNK malware acting as an access vector.
Jack is alleged to have run into “Chuck of Montreal” between the end of 2012 and October 4, 2013. On this day, a message containing LUCKY-related contact information (Jabber address) was posted by Lampedusa from Chuck’s badbullz account on his forum. .
It is speculated that Jack brokered a deal with Chuck that allowed him to post on various underground forums under Chuck’s aliases of “badbullz” and “badbullzvenom” as a way of avoiding notoriety as the Ripper.
Adding credence to this hypothesis is that one of LUCKY’s new tools, a kit for building macros called MULTIPLIER, was released in 2015 via the badbullzvenom account, while the The fact that the attacker has stopped posting through that handle.
“Using the badbullzvenom and badbullz accounts without the knowledge of forum members allows him to basically start with a clean slate and continue to build credibility under the account aliases badbullz and badbullzvenom.” explained the researcher.
Then in 2017 badbullzvenom (aka LUCKY) released another tool called VenomKit. This has since evolved into Golden Chickens MaaS. The malware’s ability to evade detection also caught the attention of the Russian-based cybercriminal organization Cobalt Group, who used it to deploy Cobalt Strike in an attack targeting financial institutions.
Two years later, another financially motivated threat actor dubbed FIN6 (aka ITG08 or Skeleton Spider) used the Golden Chickens service to compromise point-of-sale (POS) machines used by retailers in Europe and the United States. was observed to anchor the targeted invasion.
The cybersecurity firm said it also discovered the identities of his wife, mother and two sisters. He and his wife live in an upmarket district of Bucharest, and his wife’s social media accounts are said to document trips to cities such as London, Paris and Milan. The photos also show them wearing designer clothes and accessories.
“This actor, who goes by the alias LUCKY and shares badbullz and badbullzvenom accounts with Montreal-based cybercriminal ‘Chuck’, made a fatal mistake when using the Jabber account,” the researchers said. said.
