The cybersecurity firm eSentire recently made a significant breakthrough in identifying the second threat actor behind the Golden Chickens malware. This discovery was made due to a serious operational security blunder on the part of the individual, referred to as “Jack,” who resides in Bucharest, Romania. Together with another criminal known as “Chuck from Montreal,” Jack operated an account on the Exploit.in the forum under the alias “badbullzvenom.”
eSentire’s researchers, describe Jack as the true mastermind behind the Golden Chickens malware. Surprisingly, evidence uncovered by the Canadian company reveals that Jack is also listed as the owner of a vegetable and fruit import and export business, adding an unexpected layer to his criminal activities.
To avoid detection, Jack uses multiple aliases across underground forums, social media platforms, and Jabber accounts. His efforts to obfuscate the Golden Chickens malware have been extensive, aiming to make it undetectable by most antivirus companies. Access to the Golden Chickens Malware-as-a-Service (MaaS) is strictly limited to a small number of customers.
Golden Chickens, also known as More_eggs, is a malware suite employed by financially-motivated cybercriminals such as Cobalt Group and FIN6. This malware comes equipped with various components designed to collect financial information, execute the lateral movement, and even deploy a ransomware plugin called TerraCrypt.
eSentire’s investigation into Jack’s online activities reveals a history dating back to 2008 when he was just 15 years old. At that time, he joined multiple cybercrime forums as a novice member under various aliases collectively tracked as LUCKY. Over the years, Jack progressed from an aspiring teenage programmer interested in creating malicious programs to an experienced hacker involved in developing password stealers, crypters, and More_eggs.
Also, Read: “CopperStealer Malware Crew Returns with Advanced Rootkit and Phishing Kit Modules”
n 2008, Jack introduced GHOST, a crypter that allowed other actors to encrypt and obfuscate malware, thereby evading detection. However, the tragic death of his father in a car accident in 2010 caused him to halt the development of this tool.
In an April 2012 forum post, he mentioned contemplating a move to Pakistan to work for the government as a security specialist, hinting at potential connections there.
Although it remains unclear if Jack eventually relocated to Pakistan, eSentire identified tactical overlaps between a 2019 campaign conducted by a Pakistani threat actor called SideCopy and Jack’s VenomLNK malware. The VenomLNK malware serves as the initial access vector for the More_eggs backdoor.
In 2017, badbullzvenom (aka LUCKY) released VenomKit, which eventually evolved into the Golden Chickens MaaS. The malware’s ability to evade detection caught the attention of the Cobalt Group, a Russian cybercrime gang that employed it in attacks targeting financial entities using Cobalt Strike.
Two years later, FIN6, another financially motivated threat actor, also adopted the Golden Chickens service to facilitate intrusions targeting point-of-sale (POS) machines used by retailers in Europe and the United States.
eSentire’s investigation into Jack’s identity also revealed information about his personal life, including the identities of his wife, mother, and two sisters. It appears that he and his wife reside in an affluent area of Bucharest, as evident from his wife’s social media accounts showcasing their travels to cities like London, Paris, and Milan, accompanied by photos of them wearing designer clothing and accessories.
eSentire’s researchers assert that Jack’s fatal mistake occurred when he used the Jabber account, ultimately leading to his identity being exposed.