Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert hunting, research and content.
Defend brute force attacks, active intrusions and unauthorized scans.
Safeguard endpoints 24/7 by isolating and remediating threats to prevent lateral spread.
Investigation and enhanced threat detection across multi-cloud or hybrid environments.
Configuration escalations, policy and posture management.
Detects malicious insider behavior leveraging Machine Learning models.
Customer testimonials and case studies.
Stories on cyberattacks, customers, employees, and more.
Cyber incident, analyst, and thought leadership reports.
Demonstrations, seminars and presentations on cybersecurity topics.
Information and solution briefs for our services.
MITRE ATT&CK Framework, Cybersecurity Assessment, SOC Calculator & more
by Joe Stewart and Keegan Keplinger,
Security Researchers with eSentire‘s Threat Response Unit (TRU)
For the past 16 months, eSentire’s security research team, the Threat Response Unit (TRU), has been tracking one of the most capable and stealthy malware suites — Golden Chickens. Golden Chickens is the “cyber weapon of choice” for three of the top money making, longest-running Internet crime groups: Russia-based FIN6 and Cobalt Group and Belarus-based Evilnum. The three criminal operations are estimated to have collectively caused financial losses over USD $1.5 billion. This report unveils the identity of the threat actor behind Golden Chickens—who goes by badbullzvenom—and outlines how he was found.
Who is badbullzvenom? Reading through the history of the threat actor’s posts on the Russian-language hacker forum, Exploit.in, TRU found multiple mentions of the badbullzvenom account being shared between two people. From the posts, we learn the following about badbullzvenom:
Numerous other data points in the report connect a second threat actor, who goes by “Frapstar” and the username badbullzvenom. He self-identifies as “Chuck from Montreal” – an alias. In addition to speaking French and having a keen interest in buying stolen Canadian credit card accounts, he says he owns a BMW 5 Series automobile, which provides TRU with further leads into the identity of “Chuck”.
TRU has discovered “Chuck’s” real name, pictures of him, his home address, the names of his parents, siblings, and friends; his social media accounts, his hobbies, and that he owns a small business, which he runs out of his home.
“Chuck”, who uses multiple aliases for his underground forum, social media, and Jabber accounts, and the threat actor claiming to be from Moldova, have gone to great lengths to disguise themselves. They have also taken great pains to obfuscate the Golden Chickens malware, trying to make it undetectable by most AV companies, and limiting customers to using Golden Chickens for ONLY targeted attacks. Because of eSentire’s investigation, “Chuck” has lost his anonymity. TRU also continues to track improvements in the Golden Chickens source code and discover new Golden Chickens attack campaigns, as recent as July, which tells us at least one threat actor is still actively developing the product and selling it to other cybercriminals. We expect to see further targeted attacks, leveraging this malware, being launched against financial institutions and other organizations in the foreseeable future.
eSentire is a leading global provider of Managed Detection and Response security services. For the past 16 months, our security research team, the Threat Response Unit (TRU), has been tracking, analyzing, and defending our customers from one of the most capable and stealthy malware suites on the Cyber Underground – Golden Chickens. Golden Chickens is the “cyber weapon of choice” for three of the top money making and longest-running Internet crime groups: Russia-based FIN6 and Cobalt Group and Belarus-based Evilnum. The three cybercrime operations are estimated to have collectively caused financial losses over USD $1.5 billion.
Since 2018, the Golden Chickens suite has been distributed as a Malware-as-a-Service (MaaS). Between April 2021 and April 2022, TRU discovered two significant hacking campaigns utilizing Golden Chickens. During the April 2021 incidents, TRU found corporate employees on LinkedIn being targeted by threat actors using fake job offers. One year later the April 2022 campaign uncovered by TRU demonstrated that the attack tactics were reversed, and corporate hiring managers were sent fake resumes, of job applicants, laden with malware.
TRU continues to track the Golden Chickens malware, and not only have we detected a new threat campaign that appears to be targeting e-Commerce organizations, we have also discovered the identity of the threat actor/operator behind Golden Chickens. He is referred to by CrowdStrike researchers as VENOM SPIDER, and he has been connected to the threat actor “badbullzvenom”.
TRU has tracked many of badbullzvenom‘s Internet activities, going back as far as 2013. We have also discovered badbullzvenom‘s birthdate, home address, his parents and siblings‘ names, friends‘ names, his hobbies, his social media accounts, and one of his side businesses.
It is rare to uncover this level of detail about a threat operator, and it illustrates the breadth and expertise of TRU. This intelligence, including many of the Underground Forum conversations badbullzvenom has had with other threat actors, has been extremely valuable. It has helped us better decipher his Tactics, Techniques and Procedures (TTPs), as well as the origins of the Golden Chickens MaaS and its ongoing operations. With this knowledge, we continue to hone our defenses, protecting eSentire’s global customer base from well-orchestrated attacks utilizing the Golden Chickens MaaS.
It is our objective with this report to share our research with other organizations and their security teams so that they might better defend their critical data and applications from threat actors mounting attack campaigns using the Golden Chickens malware suite. The balance of this report includes:
For those not familiar with FIN6, Cobalt Group and Evilnum, they are hands down three of the longest-running and successful financial crime gangs, and it is reported that cumulatively they have caused over USD $1.5 billion in losses.
This Russia-based, financial cybercrime group is known as one of the most notorious hacking gangs in the world of cybercrime. They dominated news headlines in 2018 when they were cited as being the cyber gang who broke into the online payment systems of British Airways, Ticketmaster UK and top electronic retailer, Newegg, stealing credit and debit card data from millions of customers, as well as stealing Personal Identifiable Information (PII) from British Airways’ customers and staff. British Airways concluded that during their cyber heist, the hackers siphoned off credit and debit card data (also referred to as card-skimming),and personal data from 425,000 of their customers and staff. As a result, British Airways was slapped with a £20 million (USD $26 million) fine from the Information Commissioner’s Office (ICO), a UK government watchdog group. The ICO determined that British Airways did not take the right precautions in protecting the sensitive data of its customers. However, the ICO fine was not the end of the damage caused by the FIN6 breach of British Airways. On July 5, 2021, British Airways settled a legal claim made by a group of the airline’s customers and staff, whose data had been leaked during the breach. The settlement was kept confidential, and the airline agreed to pay compensation for qualifying claimants but did not admit liability, according to news sources.
The number of customers affected by the Ticketmaster UK breach, at the hands of FIN6, numbered in the millions. In fact, security experts estimate that the 2018 attack impacted 9.4 million customers. The UK ICO determined that the breach led directly to widespread fraud. As such, they levied a fine of £1.25 million on the ticket agency stating that the corporation “failed to put appropriate security measures in place to prevent a cyber-attack on a chat-bot installed on its online payment page” – and this violated the E.U.’s General Data Protection Regulations (GDPR).
And while top online electronics retailer Newegg couldn’t specify just how many of their customers’ credit and debit cards were stolen, security reports found that the threat actors were inside Newegg’s IT network for a month before being detected, giving the cyberattackers a full 30 days to skim many of Newegg’s customers. Newegg is estimated to receive over 50 million visitors a month, according to Similarweb, a firm which collects information on site visits.
Conservatively, security firm FireEye estimates that between 2016 and 2019, FIN6 is believed to have stolen 20 million payment cards worth $400 million. The FIN6 gang first gained notoriety in 2014 for their attacks against point-of-sale (POS) machines in retail outlets and hospitality companies , but as proven by their attacks against British Airways, Ticketmaster UK and Newegg in 2018, they wholeheartedly moved on to target online payment systems of large e-Commerce companies.
Interestingly, intelligence analysts with Visa reported that at the end of 2018, FIN6 was specifically targeting numerous e-Commerce companies’ payment servers and using malicious documents to infect their targets with the more_eggs component of the Golden Chickens malware, as the initial phase of their attack.
That activity mirrors another threat campaign that was reported separately in February 2019 by ProofPoint researchers. In these incidents, threat actors were observed attacking retail, entertainment and pharmaceutical companies’ online payments systems and using malicious documents, laden with the more_eggs component of Golden Chickens, to target the companies’ employees. The threat actors sent fake job offers to the employees, cleverly using the job title listed on their LinkedIn profiles in their communications. Could FIN6 be behind this Golden Chickens attack campaign?
Later in August 2019, the FIN6 operators launched another malicious campaign, and researchers believe FIN6 was actively going after multinational organizations. Like the February 2019 campaign, employees were spear phished with fake job offers. According to researchers, the threat actors began by targeting handpicked employees using LinkedIn messaging and email.
Between the end of 2018 and April 2021, there have been three distinct Golden Chickens/more_eggs LinkedIn campaigns using the same modus operandi (MO). Each campaign targeted corporate employees, utilized their LinkedIn profile, and then social engineered them with bogus job offers, which lead to the more_eggs component of Golden Chickens.
Another Russia-based organized cybercrime gang that has been plaguing financial institutions since at least 2016 and is known to use the Golden Chickens malware suite. The Cobalt Group is reported to have caused the financial industry over a billion dollars in cumulative losses. Their crime spree includes the targeting of 100 financial institutions in more than 40 countries worldwide, allowing the criminals to steal more than USD $11 million per heist.
The Cobalt Group's typical MO was to infiltrate banking institutions by sending spear phishing emails with malicious attachments to bank employees. The Cobalt Group repeatedly used Golden Chickens and its more_eggs backdoor in their attacks. Once downloaded, the cybercriminals gained access to the infected computer and were able to access the internal banking network. The Cobalt Group was said to have spent months inside the infected networks studying the bank’s operations and workflows, including the Society for Worldwide Interbank Financial Telecommunications (SWIFT) bank system.
The Cobalt Group also gained notoriety for its “jackpotting“ schemes where they would break into bank servers that controlled the ATMs and manipulate the ATMs to remotely dispense cash at a certain time, in predetermined locations, where money mules waited to collect the cash.
The Evilnum group, believed to be out of Belarus, is best known for compromising financial technology companies and companies that provide stock trading platforms and tools. They target financial information about the FINTECH companies and their customers, seeking out spreadsheets, customer lists, investments, trading operations and credentials for trading software platforms. The Evilnum group is also known to spear phish employees of the companies they are targeting and enclose malicious zip files. If executed, the employees often get hit with the more_eggs backdoor, along with other malware.
Quo Intelligence first connected VENOM SPIDER to the threat actor “badbullzvenom”. This attribution was made possible due to a dispute on the Exploit.in hacker forum. In the thread, private conversations are revealed between a Golden Chickens MaaS customer, BlackAngus, and the MaaS provider, badbullzvenom. The dispute centered around a sample of the malware appearing in VirusTotal, causing the customer to be banned from the service. Because the actual sample in VirusTotal was linked in the thread, researchers were able to confirm the connection to the Golden Chickens MaaS and identify badbullzvenom as the MaaS operator.
From the entire content of his posts on Exploit.in, we learn the following information about badbullzvenom:
Digging deeper into Open Source Intelligence (OSINT), TRU studied numerous security reports in order to connect the various forum accounts engaged with the Golden Chickens MaaS, and we found one published by Trend Micro in 2015 titled: Attack of the Solo Cybercriminals – Frapstar in Canada, where the threat actor is identified as a lone carder (a criminal who monetizes stolen credit cards) with accounts and multiple aliases (including badbullzvenom) on several hacker forums.
From this report, we learn more key information about the threat actor who goes by Frapstar:
In the report from Trend, we see that user E39_Frap* self-identifies as “Chuck from Montreal”. However, this seems to be at odds with the information from the Exploit.in forum where the threat actor says he is from Moldova and can write in Romanian, as well as in English and French. He even participates in a thread on the Lampeduza forum titled “Romanian only”. However, in the earlier thread, we also see where badbullzvenom says he can write in French, which could show a possible connection to Montreal.
Is the threat actor behind the badbullzvenom account from Montreal, Moldova or another Eastern European country where Romanian is spoken? This remained a mystery until we had the opportunity to read through many of the threat actor’s older forum posts. Here we found mentions on multiple occasions of the badbullzvenom account being shared between two people. (See Figures 3 and 4).
TRU believes that “Chuck” is just one threat actor that operates the badbullzvenom account at times, and is in fact located in Montreal, Canada. We also believe there is a second threat actor, possibly from Moldova or Romania, that operates the badbullzvenom account alongside “Chuck.”
Badbullzvenom’s activity on Exploit.in, over the years, demonstrates a progression from a “script kiddie” to a MaaS provider:
2013 – badbullzvenom first recorded posts on the forum that are often complaints about other users. He demonstrates an interest in Canadian computer traffic and Canadian banks such as TD, CIBC, Scotiabank, and BMO.
2014 – Throughout the majority of 2014, badbullzvenom only posts three times in Exploit.in.
2015 – badbullzvenom returns from his hiatus, but he tends to demonstrate more confidence and technical acumen. He points other members to appropriate tools of the hacking trade, participates in banter, shows an interest in banking trojans for sale, and starts giving more positive reviews.
2016 – After another hiatus, badbullzvenom returns once again, offering for sale his first cyber tool. He only nets two customers and in this time, he continues to show interest in banking trojans and cryptors, as well as a continued interest in financial data relating to Canada. He also makes aggressive and offensive comments, including one statement he makes before going on hiatus again, where he tells one member of Exploit.in to kill themselves, and he offers to pay for the bullet.
2017-2019 – badbullzvenom returns to the forum once more, offering the sale of “Word 1-day doc builder” – known today as VenomKit. It is a malicious document builder that takes advantage of Windows Office exploits. He accumulates customers quickly and continues to develop the builder, adding new exploits as they appear and updating its features. For example, PowerShell is removed from the attack chain to reduce detection, .dll support is added for payloads, and a .js downloader (likely the more_eggs backdoor component of Golden Chickens is added and is for sale.) During this timeframe, Cobalt Group is reported as using badbullzvenom’s builder to deploy Cobalt Strike in attacks on banks – then again in 2018. In 2019, FIN6 is observed using more_eggs with employment lures.
In recent years, database leaks have exposed billions of users’ credentials, leading to hacking and privacy concerns. However, one aspect of this activity works in favor of network defenders – the fact that numerous hacking forums have had their user databases leaked, offering an opportunity to make connections between online personas of known threat actors and their real-world identities.
Referencing the 2015 Trend Micro report, we confirmed the threat actor had accounts in three underground forums. These forums were later breached, and the user databases leaked, revealing email addresses used by the threat actor in the past:
Other database leaks revealed an account using the [email protected] email address with the password “Nay45uck+”. Pivoting on this piece of information leads us to an old Myspace account registered to [email protected] that used the same password. While it is possible there could be two users that coincidentally chose the same rather unique password, searching Google leads us to the account “crazyteg67” on the Montreal Racing forum using that email address, to sell $1000 worth of gift cards for $700.
This account seems to be shared by multiple people, as there are frequent posts offering items for sale with different contact phone numbers and first names in the offer. One of the contact names is “Chuck”.
The crazyteg67 user also owns a BMW 540i according to his own posts:
Pivoting on the “dalion67” username, we find a Pinterest account for “Dee Inconegro”, with a few boards created under it. One of those boards is dedicated to BMW M5 series photos, and another is dedicated to photos of English Bull Terriers, and the name of the board is “Bad Bullz”.
Interestingly, there is a Facebook account using the same fake name “Dee Inconegro”, with only a few posts. However, we can see references to this account in other users’ posts, one of which referred to the account by an older name, “Keyser Sensei” (See Figure 11), which we found amusing as it appears to be a reference to the mysterious crime lord character—Keyser Söze in the movie, Usual Suspects.
Additionally, this account is linked through multiple friends to another account with the name “Chuck Larock”, which appears to be an older account of the same actor, where he shared photos of his English Bull Terriers. However, this name is also an alias, not the real name of the threat actor.
Even though the threat actor is careful to never use his real name when creating social media or forum accounts, a comment from one of “Chuck Larock’s” Facebook friends gives us a clue.
The comment, where a friend says: “yo [name redacted] ca va” which casually means “hey, how are you?” in French. This might easily be overlooked, because the name the friend calls out in the comment is not a common name and not meaningful by itself. However, in the context of Dee Inconegro’s Facebook page, we find another clue. From public records, we learn that Dee Inconegro’s listed employer, [company name redacted.ca], is actually owned by a man who goes by [name redacted], a Canadian citizen of Haitian descent.
It appears that [company name redacted.ca] is a sole-proprietor business, operated from a residential address in Montreal. One former Google Street View photo shows an image of the location with two BMWs in the driveway and a person (possibly our threat actor) standing in front.
This name matches another email address posted by the account on the Montreal Racing forums, [name redacted]@sympatico.ca.
References to the number “67” in usernames used by the threat actor and his associates could suggest an affiliation with the Montreal 67s, a Haitian street gang.
Golden Chickens is a stealthy, highly functional, all-in-one suite of malware. It consists of various components that threat actors can select for their objectives:
More_eggs – This is the Golden Chickens‘ key component. More_eggs provides threat actors with a back door and a malware loader.
VenomLNK – Initial access for more_eggs. VenomLNK is a .lnk file (Windows shortcut) sent to victims to instigate User Execution.
TerraLoader – The primary goal of VenomLNK is to instantiate TerraLoader which can then load the individual objective-based plugins.
TerraRecon – Performs initial environmental analysis of the infected machine and provides threat actors with some rudimentary information of the organization‘s network.
TerraStealer – Harvests credentials and emails from browsers, email clients, and transfer utilities.
TerraTV – Allows threat actors to move laterally in the network by hijacking the organization‘s running instance of TeamViewer.
TerraPreter – Provides a meterpreter shell that allows threat actors to perform actions such as lateral movement, discovery, and credential theft manually.
TerraCrypt – An encryption payload for ransomware extortion attacks.
Since the beginning of 2022, TRU has observed several incidents in which VenomLNK, a .lnk file (a Windows shortcut) sent to victims to instigate User Execution, was leveraged to target corporate hiring managers in the U.S. A single sample uploaded to VirusTotal in July 2022, from France, pointed to a new resume-themed download server, suggesting ongoing cyberattacks utilizing Golden Chickens. The associated URL indicates the malware is being used to go after e-Commerce companies, which we know is a favorite target of FIN6, the financial crime group known for successfully compromising large e-Commerce companies including British Airways, Newegg, Ticketmaster and countless others.
In order to deliver VenomLNK to victims and ensure that they click on them, the Golden Chickens operators leverage employee recruitment processes. The threat actors engage targets through services such as LinkedIn, Indeed, and the organization‘s own careers section of their website. In the past, operators started by engaging the victim on LinkedIn, eventually following up with a job offer through email.
In the July campaign, VenomLNK is hosted on a personal branding web page (See Figures 18 and 19). The operators then send a link leading to a mock resume PDF through the organization‘s recruitment platform (e.g. Indeed, LinkedIn, or the organization‘s own career web page). The PDF purports to be broken, offering an embedded link (Figure 20) to the malicious VenomLNK file on the branding website, which the victim then downloads and executes manually after completing a CAPTCHA.
Using a CAPTCHA on a website makes it harder for security researchers and their tools, especially if those tools are automated, to retrieve and analyze if there is any malware present. Evasion tactics, like this, are a clever way for threat actors trying to get a foothold into an e-Commerce company to increase their chances of success.
Not only has TRU detected what appears to be a new Golden Chickens attack campaign, but on July 18, 2022, a threat actor going by “babay” went on to Exploit.in and accused badbullzvenom of stealing $1 million from him. Consequently, babay issued a $200,000 bounty for any information leading to badbullzvenom’s real identity. See Figure 21.
The translation of the complaint made on July 18, 2022, by babay about badbullzvenom in Exploit.in:
“[email protected] a.k.a. badbullzvenom
The total cost of the complaint $1,000,000.
The person scammed me, didn't complete his job, talk total nonsense, I can't contact him and he refuses to return the money back. The situation is private, I sent the logs to the admin.
For the information that can lead to his deanonymization I will pay $200,000 through the guarantor.”
The translation of Exploit.in’s Administrator/Moderator’s response to babay:
“I have looked through the logs, the user is deleted from the forum.”
There is compelling evidence that the threat actor, detailed in this report, is one of possibly two operators behind the badbullzvenom account on Exploit.in.
Interestingly, as of July 2022, all of badbullzvenom’s posts on Exploit.in have been purged from the forum. However, TRU continues to see improvements in the Golden Chickens source code and new Golden Chickens attack campaigns, like the one we detected in July. That tells us that the malware suite is still actively being developed and is being and sold to other threat actors. We expect to see further targeted attacks against financial institutions and organizations, processing large amounts of credit and debit card data, leveraging this malware in the foreseeable future. Thus, TRU is continuing to investigate the Golden Chickens operation and any other parties that may be involved.
It is TRU’s recommendation that organizations take the following steps to protect against the Golden Chickens malware suite:
Connect with an eSentire Security Specialist to learn how we can help you build a more resilient security operation and prevent disruption.