The identity of the second threat actor behind Golden Rooster the malware has been discovered thanks to a fatal operational security glitch, says cybersecurity firm eSentire.
The individual in question, who lives in Bucharest, Romania, is codenamed Jack. He is one of two criminals who run accounts on the Russian-language Exploit.in forum under the name “badbullzvenom”, the other being “Chuck from Montreal”.
eSentire characterizes Jack as the real mastermind behind Golden Chickens. Evidence unearthed by the Canadian company shows that he is also listed as the owner of a vegetable and fruit import and export business.
“Like ‘Chuck from Montreal,’ ‘Jack’ uses multiple aliases for underground forums, social media, and Jabber accounts, and he also goes to great lengths to disguise himself,” eSentire researchers Joe Stewart and Keegan Keplinger said.
“‘Jack’ has gone to great lengths to obfuscate Golden Chickens malware, trying to make it undetectable to most (antivirus) companies, and only allowing a limited number of customers to purchase access to Golden Chickens MaaS.”
Golden Chickens (aka More_eggs) is a suite of malware used by financially motivated cybercriminals such as the Cobalt Group and FIN6. The threat actor behind the malware, also known as Venom Spider, operates under the malware-as-a-service (MaaS) model.
Jack’s online activity, according to eSentire, began in 2008, when he was only 15 years old and signed up for various cyber crime forums as a novice member. All of his aliases are being tracked collectively as LUCKY.
The Investigation, in gathering its digital footprint, traces Jack’s development from a teenager interested in building malicious programs to a longtime hacker involved in the development of password stealers, crypters, and More_eggs.
Some of the earliest malware tools developed by Jack in 2008 consisted of Voyer, which was able to harvest a user’s Yahoo instant messages, and an information stealer called FlyCatcher which could record keystrokes.
A year later, Jack released a new password stealer dubbed CON that was designed to siphon credentials from various web browsers, VPN, and FTP applications as well as now-defunct messaging apps such as MSN Messenger and Yahoo! Courier.
Jack, later that same year, began advertising a crypter called GHOST to help other actors encrypt and obfuscate malware with the goal of evading detection. The sudden death of his father in a car accident is believed to have caused him to halt development on the device in 2010.
Fast forward to 2012, Jack is starting to earn a reputation in the cyber criminal community as a conman for failing to provide adequate support to customers who buy products from him.
He also cited “big life problems” in a forum post on April 27, 2012, stating that he was considering moving to Pakistan to work in the government as a security specialist and one of his crypter customers “works in pakistan guv” (read government).
It wasn’t immediately clear whether Jack ultimately went to Pakistan, but eSentire said they saw tactical overlap between a 2019 campaign carried out by a Pakistani threat actor known as the SideCopy malware and Jack’s VenomLNK, which served as an early access vector for the More_eggs backdoor.
Jack is alleged to have crossed paths with “Chuck from Montreal” between late 2012 and October 4, 2013, the date on which messages were posted from Chuck’s badbullz account on the Lampeduza forums containing contact information – Jabber’s address – related to LUCKY.
It has been speculated that Jack brokered a deal with Chuck that would allow him to post under the Chuck aliases “badbullz” and “badbullzvenom” on various underground forums as a way to get around his fame as the ripper.
Convincing this hypothesis is the fact that one of LUCKY’s new tools, a kit for building macros called MULTIPLIER, was released in 2015 via the badbullzvenom account, while the threat actor behind the LUCKY account stopped posting via that handle.
“By using the badbullzvenom and badbullz accounts, and unbeknownst to forum members, he essentially started with a clean slate, and he was able to continue to build his credibility under the account aliases: badbullz and badbullzvenom,” explained the researcher.
Later in 2017, badbullzvenom (aka LUCKY) released a separate tool called VenomKit, which later evolved into Golden Chickens MaaS. The malware’s ability to evade detection is also a concern Cobalt Groupa Russia-based cyber-crime gang that uses it to deploy Cobalt Strike in attacks aimed at financial entities.
Two years later, another financially motivated threat actor is labeled FIN6 (aka ITG08 or Skeleton Spider). observed used Golden Chickens services to harbor intrusions targeting point-of-sale (POS) machines used by retailers in Europe and the US
The cybersecurity firm said it also found the identities of his wife, mother and two sisters. He and his wife are said to live in an upscale part of Bucharest, with his wife’s social media account documenting their travels to cities such as London, Paris and Milan. Further photos show them wearing designer clothes and accessories.
“The threat actor who uses the alias LUCKY and also shares badbullz and badbullzvenom accounts with the Montreal-based cyber criminal ‘Chuck’ made a fatal mistake when he used the Jabber account,” the researchers said.