Cybersecurity researchers have discovered the real-world identity of the threat actor behind it golden chicken Malware-as-a-service using the online persona “badbullzvenom”.
eSentire’s Threat Response Unit (TRU) is an in-depth report published after a 16-month investigation, Said “We found multiple mentions of the badbullzvenom account being shared by two people.”
A second threat actor, known as Frapstar, is said to call itself “Chuck of Montreal” to help cybersecurity firms piece together the digital footprints of criminals.
This includes his real name, picture, home address, names of his parents, siblings, friends, social media accounts and interests. He is also said to be a sole proprietor of a small business he runs from his home.
The threat actor’s cyberweapon has been used by other prominent cybercriminal groups such as: cobalt group (aka Cobalt Gang), Evilnum, and FIN6, all of which are estimated to have caused $1.5 billion in combined losses.
Some of the past More_eggs campaigns Dating back to 2017was involved spear fishing business professionals On LinkedIn, it provides fake job postings that allow threat actors to remotely control a victim’s machine, which it uses to gather information and even deploy malware.
Last year, in a reversal of sorts, the same tactic was employed, with corporate recruiters being attacked with résumés that contained malware as an infection vector.
The earliest record of Frapster activity dates back to May 2015 by Trend Micro. explained Individuals as “lone criminals” and luxury car enthusiasts.
“Using multiple aliases for underground forums, social media, and Jabber accounts, ‘Chuck’ and threat actors claiming to be from Moldova have gone to great lengths to disguise themselves,” said eSentire. researchers Joe Stewart and Keegan Keplinger said.
“They also went to great lengths to obfuscate the Golden Chickens malware, making it undetectable by most AV companies and restricting customers to using Golden Chickens for targeted attacks only.”
Chuck is suspected to be one of two threat actors operating the badbullzvenom account on the Exploit.in underground forum, possibly in Moldova or Romania, eSentire points out .
A Canadian cybersecurity firm said it had uncovered yet another new attack campaign targeting e-commerce companies, tricking recruiters into downloading malicious Windows shortcut files from websites masquerading as resumes.
Shortcut, a malware called VenomLNK, acts as an initial access vector to drop More_eggs or TerraLoader, which is then followed by TerraRecon (for victim profiling), TerraStealer (for information stealing) and TerraCrypt (for victim profiling). It acts as a conduit for deploying various modules. ransomware extortion).
“This malware suite is still in active development and is being sold to other threat actors,” the researchers conclude, urging organizations to be on the lookout for potential phishing attacks.