Cybersecurity researchers have discovered the real-world identity of the threat actor behind it golden chicken Malware-as-a-service using the online persona “badbullzvenom”.
eSentire’s Threat Response Unit (TRU) “found multiple mentions of the badbullzvenom account being shared between two people,” in an exhaustive report released after a 16-month investigation. says.
A second threat actor, known as Frapstar, is said to call itself “Chuck of Montreal” to help cybersecurity firms piece together the digital footprints of criminals.
This includes his real name, picture, home address, names of his parents, siblings, friends, social media accounts and interests. He is also said to be a sole proprietor of a small business he runs from his home.
The attackers’ cyberweapon has been used by other prominent cybercriminal groups such as the Cobalt Group (aka Cobalt Gang), Evilnum, and FIN6, all of which are estimated to have caused $1.5 billion in combined losses. .
Previous More_eggs campaigns (partially dating back to 2017) involved spear-phishing business professionals on LinkedIn who offered fake job offers that allowed threat actors to remotely control a victim’s machine, which they It was used to gather information and even deploy malware.
Last year, in a reversal of sorts, the same tactic was employed, attacking corporate hiring managers and using malware-laden resumes as an infection vector.
The earliest record of Frapster’s activity dates back to May 2015, when Trend Micro described him as a “lone criminal” and luxury car enthusiast.
“Using multiple aliases for underground forums, social media, and Jabber accounts, ‘Chuck’ and threat actors claiming to be from Moldova have gone to great lengths to disguise themselves,” said eSentire. researchers Joe Stewart and Keegan Keplinger said.
“They also went to great lengths to obfuscate the Golden Chickens malware, making it undetectable by most AV companies and restricting customers to using Golden Chickens for targeted attacks only.”
Chuck is suspected to be one of two threat actors operating the badbullzvenom account on the Exploit.in underground forum, possibly in Moldova or Romania, eSentire points out .
A Canadian cybersecurity firm said it had uncovered yet another new attack campaign targeting e-commerce companies, tricking recruiters into downloading malicious Windows shortcut files from websites masquerading as resumes.
Shortcut, a malware called VenomLNK, acts as an initial access vector to drop More_eggs or TerraLoader, which is then followed by TerraRecon (for victim profiling), TerraStealer (for information stealing) and TerraCrypt (for victim profiling). It acts as a conduit for deploying various modules. ransomware extortion).
“This malware suite is still in active development and is being sold to other threat actors,” the researchers conclude, urging organizations to be on the lookout for potential phishing attacks.