The Threat Response Unit (TRU) of eSentire has been monitoring one of the most effective and covert malware families, Golden Chickens, for the past 16 months.
The malware of choice for FIN6 and Cobalt, two of the most established and prosperous online crime organizations in Russia, who have collectively stolen an estimated $1.5 billion US, is Golden Chickens.
The creator of a comprehensive toolkit that includes SKID, VenomKit, and Taurus Loader is Golden Chickens, widely known as VENOM SPIDER. Since at least 2012, the adversary has participated actively in Russian underground forums under the alias 'badbullzvenom,' where they have developed tools for exploiting vulnerabilities as well as for getting and retaining access to victim machines and ticketing services.
The 'Chuck from Montreal' identity used by the second threat actor Frapstar allows the cybersecurity company to link together the criminal actor's online trail.
The malware-as-a-service (MaaS) provider Golden Chickens is associated with several tools, including the JavaScript downloader More Eggs and the malicious document creator Taurus Builder. Previous More eggs efforts, some of which date back to 2017, involved spear-phishing executives on LinkedIn with phony job offers that gave threat actors remote control over victim devices, allowing them to use them to gather data or spread more malware.
By using malware-filled resumes as an infection vector, the same strategies were used last year to target corporate recruiting supervisors. The first known instance of Frapster's activities dates back to May 2015, at which point Trend Micro referred to him as a 'lone criminal' and a luxury automobile fanatic.
According to eSentire, one of the two threat actors believed to be behind the badbullzvenom account on the underground forum Exploit.in maybe Chuck, with the other person probably residing in Moldova or Romania. Recruiters are being duped into downloading a malicious Windows shortcut file from a website that poses as a résumé in a new assault campaign that targets e-commerce businesses, according to a Canadian cybersecurity company.
By highlighting Golden Chickens' multi-layer architecture and the MaaS's multi-client business model, researchers stress the challenges of performing accurate attribution for cyberattacks.