How eSentire used OSINT to unmask threat actor behind Golden Chickens MaaS

How eSentire used OSINT to unmask threat actor behind Golden Chickens MaaS

eSentire’s Threat Response Unit (TRU) announced it has uncovered the identity of the threat actor behind Golden Chickens, the “cyber weapon of choice” for three of the top money making, longest running Internet crime groups:  Russia-based FIN6 and Cobalt Group and Belarus-based Evilnum, estimated to have collectively caused over $1.5 billion financial losses.

Following a 16-month investigation, TRU found that the account behind Golden Chickens goes by badbullzvenom, and claims is from Moldova and to work with Russia-based Cobalt Gang, which was also evident in public analysis of Golden Chickens campaign Indicators of Compromise (IOCs). The operator behind Golden Chickens is referred to by CrowdStrike researchers as VENOM SPIDER.

Quo Intelligence first connected VENOM SPIDER to the threat actor badbullzvenom, due to a dispute on the Exploit.in hacker forum. Here, Golden Chickens MaaS customer BlackAngus and the MaaS provider badbullzvenom argued because a sample of the malware appeared in VirusTotal. As the actual sample in VirusTotal was linked in the thread, researchers were able to confirm the connection to the Golden Chickens MaaS and identify badbullzvenom as the MaaS operator.

As they went through the history of the his posts on Exploit.in, TRU found multiple mentions of the account being shared between two people and learned that badbullzvenom claims to be from Moldova and to work for Russia-based Cobalt Gang and speaks Romanian, French and English.

Digging deeper into OSINT, TRU found a second threat actor, who goes by Frapstar, and self-identifies as Chuck from Montreal. TRU found Chuck by studying numerous security reports while trying to connect various forum accounts engaged with the Golden Chickens MaaS. They found one published by Trend Micro in 2015 titled: Attack of the Solo Cybercriminals – Frapstar in Canada, where the threat actor is identified as a lone carder with accounts and multiple aliases, including badbullzvenom.

TRU has discovered that Frapstar, or Chuck, has a keen interest in obtaining stolen Canadian credit card accounts and owns a BMW 5 Series automobile, specifically the E39 540i. Also, they used the following usernames on various forums: Badbullzvenom, Badbullz, Frapstar, Ksensei21 and E39_Frap* (i.e., E39_Frapstar).

TRU concluded that Chuck is just one threat actor that operates the badbullzvenom account at times, and is in fact located in Montreal, Canada. There is also a second threat actor, possibly from Moldova or Romania, that operates the badbullzvenom account alongside Chuck, old forum posts revealed.

TRU used the gathered data from forums to make a timeline of bullzvenom‘s progression from script kiddie starting 2013 to MaaS Provider starting 2017. Following a data leak, TRU was able to confirm that the threat actor had accounts in three underground forums: Carder.pro, Opensc.ws and Carder.su. Besides the already known nickname of frapstar used in two of the accounts, there was also an account which used  the [email protected] email address with the password “Nay45uck+”, which was used also for a myspace account using the [email protected] email. Google search revealed a connection to the crazyteg67 account on the Montreal Racing forum selling gift certificates. The account was used by multiple persons, but one of the contact people was Chuck, and according to one of his posts looking for advice to replace a clutch, he owns a BMW540i. The dalion67 username was connected to a Pinterest account for Dee Inconegro, where one of the boards had photos dedicated to the BMW M5 series photos and another one was dedicated to photos of English Bull Terriers, under the name Bad Bullz.

A Facebook account of Dee Inconegro referenced in other posts with an older name, Keyser Sensei, and is connected through multiple friends to an account named Chuck Larock. Dee Inconegro‘s listed employer is a Canadian citizen of Haitian descent, according to public records, which operated from a residential address in Montreal. One Google Street View photo shows the house and two BMWs, as well as a person standing in front of the vehicles. The name also matches an email address posted by the account on the Montreal Racing forums.

There is compelling evidence that the threat actor, detailed in this report, is one of possibly two operators behind the badbullzvenom account on Exploit.in,” TRU says, adding that as of July 2022, all of badbullzvenom’s posts on Exploit.in have been purged from the forum.

Image source: pixabay.com

Share:

Author: OSINT NEWS

Related Articles

Leave a Reply