Unmasking the Mastermind: the Key Player behind Golden Chickens

The cybersecurity landscape is rife with hidden threats and elusive criminals. In a recent breakthrough, eSentire, a prominent cybersecurity firm, has managed to expose the identity of the second threat actor associated with the notorious Golden Chickens malware. This revelation comes as a result of a fatal operational security blunder committed by the individual known as Jack, who hails from Bucharest, Romania.

The Rise of Jack, the Enigmatic Cybercriminal

Jack, also known as “badbullzvenom,” forms one half of the criminal duo that operates on the Russian-language Exploit.in forum, with the other member being “Chuck from Montreal.” However, eSentire’s meticulous investigation has identified Jack as the true mastermind behind the Golden Chickens malware, unravelling a web of aliases and covert activities. Remarkably, evidence uncovered by eSentire suggests that Jack is not solely focused on cybercrime; he is also listed as the owner of a vegetable and fruit import and export business.

A Trail of Deception and Mastery

Similar to Chuck, Jack employs multiple aliases across underground forums, social media platforms, and Jabber accounts, employing elaborate measures to conceal his true identity. According to eSentire researchers Joe Stewart and Keegan Keplinger, Jack has gone to great lengths to obfuscate the Golden Chickens malware, ensuring its evasion from detection by most antivirus companies. Moreover, he strictly controls access to the Golden Chickens Malware-as-a-Service (MaaS), allowing only a select few customers to purchase its illicit benefits.

The Golden Chickens Malware: A Menace in the Cyber Realm

Golden Chickens, also known as More_eggs, stands as a malevolent malware suite exploited by financially motivated cybercriminal groups like Cobalt Group and FIN6, alias Venom Spider. These threat actors operate under a lucrative malware-as-a-service model, utilizing the Golden Chickens suite to propagate their nefarious activities. The JavaScript-based malware is predominantly distributed through phishing campaigns and incorporates various components for harvesting financial information, executing lateral movements within compromised systems, and even deploying a ransomware plugin named TerraCrypt, which belongs to the PureLocker ransomware family.

From Novice to Notorious: Jack’s Cyber Journey

eSentire’s investigation has uncovered Jack’s digital footprints, dating back to his early involvement in cybercrime forums as a novice member at the young age of 15 in 2008. Tracking his aliases collectively as LUCKY, the trail traces Jack’s evolution from an enthusiastic teenager interested in building malicious programs to an experienced hacker proficient in developing password stealers, crypters, and the infamous More_eggs malware.

Unveiling Jack’s Malicious Arsenal

Jack’s early ventures into malware development led to the creation of notable tools in 2008. Among them was Voyer, a potent malware capable of harvesting Yahoo instant messages, and FlyCatcher, an information stealer proficient in recording keystrokes. In the subsequent year, Jack unleashed CON, a sophisticated password stealer targeting various web browsers, VPN applications, FTP software, as well as defunct messaging platforms such as MSN Messenger and Yahoo! Messenger.

Later in the same year, Jack introduced GHOST, a crypter designed to assist other cybercriminals in encrypting and obfuscating malware to evade detection. Tragically, the sudden demise of Jack’s father in a car accident in 2010 is believed to have caused him to pause development of this tool.

By 2012, Jack had gained notoriety within the cybercriminal community, albeit for the wrong reasons.

that’s it <3