Looking For Malware In All The Right Places – Part 1

How you track the sellers of sophisticated malware through their online breadcrumbs

Today’s malware and ransomware has evolved from the decades when it was simple, obvious, and led investigators straight to you, painting a neon “CyberCriminal” sign above your head.

These days, ransomware is big business, whether it’s delivered by individuals, groups, or associates of nation states.

The story of the Golden Chickens malware – the weapon of choice for three of the top money making cyber-crime groups in the world – reads like a James Bond story (Goldfinger, Goldeneye, Golden Chickens?), and the way in which the links between its creators, its distributors, and Russian gangs were exposed and investigated is a tale that takes us into hacker forums on the dark web, and from there, backwards in time following a complicated trail of digital breadcrumbs. The story of that investigation is an object lesson to businesses everywhere, showing how complex and diffuse the global cyber-threat really is.

Both the Russia-based FIN6 and Cobalt Group and the Belarus-based Evilnum criminal cyber-gangs are fans and users of the Golden Chickens malware, and between them, they’re estimated to have caused financial losses of over USD $1.5 billion.

Now a new report from the Threat Response Unit at eSentire – a world-leading corporate cyber-protection company – explains not only how Golden Chickens works, but how the people behind that highly effective piece of malware were tracked down.

We spoke to Joe Stewart and Keegan Keplinger from eSentire, who were behind the detection of the cyber-criminals, and they told us how they traced an incredibly sophisticated and effective piece of malware from its observable effects all the way back to the hands who wrote it, the people who sold it, and at least some of the people who bought and used it.

What Is Golden Chickens?

Before we begin hunting Golden Chickens, it’s worth understanding what the malware is, how it works, and why it’s such a big deal.

Keegan Keplinger: It first emerged around 2019, and eSentire first saw it when it was essentially in Beta testing – small events, small attacks, just a trickle of usage. And it impressed the few people who spotted it, because of its simplicity and effectiveness. It arrives on your computer usually as a doc file, and it uses straightforward Windows processes to operate once a user executes it – for instance, by opening the doc. That means there’s nothing especially noticeable for anti-viral programs to latch onto, which in turn means it goes mostly unnoticed until the criminals want it to be noticed.

When it properly came to prominence in 2021, it was at the heart of an equally simple and effective scheme. It targeted people on LinkedIn who were looking for jobs. People would apply for a fake position, the criminals would send them a fake job offer… and in that offer would be hidden the malware.

In 2022, the criminals flipped their original script, and posed as candidates looking for jobs with the companies they were aiming to target. They would send letters or resumes to hiring managers – with the malware hidden inside.

It was when the Golden Chickens group began to target eSentire’s customers that the Threat Response Unit swung into play, and Joe Stewart began to try to join the dots between a visible effect and a highly hidden cause.

The Digging Begins

Joe Stewart: I decided to start looking to see if we could figure out who the actors were behind this. That’s always something interesting to know, you know, what are their motivations, how big of a threat are they? How sophisticated are the actors? How well connected? Are they acting alone, or are they partnering with other actors? Just knowing all of that is really helpful, and it paints a picture of the broad threat landscape to our customers.

Over the past five years, there’s been a surge in leaked databases from different forums – it’s become a real marketplace. One of the prime targets for those types of leaks are hacker forums. You get a lot of disgruntled users on hacker forums – maybe they got banned, maybe they bought something and it didn’t work, maybe they sold something and didn’t get paid. So they hack into that database and leak it.

Once that leak gets shared, we get a good picture of who was using that site – even sometimes down to their IP addresses, their email addresses, even their chronically weak passwords. Generally, hackers don’t use passwords that are better or more secure than civilians, believe it or not.

The Development of Talent

Some of these accounts on the hacker forums stretch back 10 or 15 years, so sometimes you can track their journey from when they were just learning their business right up to when they’re selling malware responsible for hundreds of millions of dollarsworth of lost revenue.

That’s what we’re increasingly able to pick up as security researchers, these trails of hacker personas over time. Sometimes they’ll change their names and rebuild their personas from scratch, but really, on the hacker underground, your reputation is everything you have.  You have to have some sort of credible history of providing reliable services to other hackers. That’s how you avoid the reputation of ripping off other hackers. That means a lot of the time, they’re forced to stick with a persona if they want to keep making money from malware – and that’s useful when you’re tracking them.

We knew from looking at other reports that you know, there was a there was a threat actor that was associated with the malware we were looking at, and that the name that they were using was “badbullzvenom.” We quickly found that username on several hacker forums, with lots of juicy data attached to that account. We actually saw that there was a report from back in 2015, where somebody said “Oh, yeah, there’s this badbullzvenom guy – he’s just working by himself, he’s not really a big deal, just kind of sitting there, posting on all kinds of forums – not just hacking forums, but also automotive forums. He’s known as Chuck from Montreal.”

THQ: So suddenly a username that was wild in the world of hacker forums has what at least could be a real first name, an interest in cars, and potentially a geofence around a single Canadian city?

Joe Stewart: Right! That was intriguing. It says there’s an actual trail that this guy has left. I kept digging, and one of the best clues I came across was a password that had been used by this account. It was kind of a unique password, not something randomly generated, but something that meant something to the user. So I started digging around and pivoting on that. I thought “Okay, what other database leaks are there out there that aren’t hacker forums, where this user might have used their real identity?”

THQ: And what was there?

Joe Stewart: MySpace.

THQ: MySpace?! 

Joe Stewart: We found that there was actually a MySpace user that used this exact meaningful password a long time ago. MySpace is still around, but hardly anyone uses it anymore. But back in the day, you were expected to have a MySpace account if you were online at a certain time. So this guy had one, and he was using a particular email address that was at Hotmail! Something that had “dalion67” in the address. Obviously, in 2022, when badbullzvenom registers for a hacker forum, they’re using safe mail domains and trying to hide where they’re at. But here’s this Hotmail address sitting out there that’s tied to the same password. So it’s likely that they’ve used this elsewhere. So just plugging “dalion67@hotmail.com” came up with two really good hits.

One was a Pinterest account, where the user that created that account, going by that same name “dalion67,” had created a few boards. And two of his boards matched with things we knew about the badbullzvenom user – one of the boards was about BMW 5 Series. We knew from the previous report that this guy “Chuck from Montreal” was into BMW M5s. And the other board was called “Bad bullz,” which was kind of like, “Hello. Big, big flashing sign there, leading us right to this guy.”

The Convergence Of Threads

Want to know what “badbullz” actually was? He had English bull terriers, pit bulls. A lot of people think “badbullz” and they go to an image of a big bull standing out in the field, with huge horns and all that stuff, but he was talking about his dogs all the time!

Naturally, we started taking a real interest in this particular account. Digging into it, we found that, you know, not only was this this de dalion67 Hotmail account used on the racing forums in Montreal, but there was plenty of indication that there were lots of transactions going on on the Montreal forum. Somebody using that account was selling all kinds of items, like heavily discounted gift cards, and brand new PS2s and Xboxes – stuff that’s kind of kind of suspect as to whether they were legitimately purchased or not. But one of the names that was dropped in one of these offers… was Chuck. In Montreal.

So we have another connection back to this Chuck character in Montreal. And on the other side, there was a name associated with the Pinterest account. It was a fake name, but that’s also a nice unique kind of lead. So searching that, we find a Facebook account registered to that exact same name. And now we get a little bit more detail. Now we’ve got a couple of pictures of the person. They’re still not using any real names, but we’ve got the business they say they work at.

THQ: From hacker forums, to Myspace, to Pinterest, to Montreal forums, back to Pinterest, and now onto Facebook? Quite the breadcrumb trail, considering the Golden Chickens malware is so distinctly discreet.

Joe Stewart: And then we find that all of his friends are connected to another account, belonging to somebody that posts pictures… of his English bull terriers. And his name just happens to be Chuck. So we think that since all the friends have these two accounts in common, it’s the same guy. Maybe one’s an older account, and then he got a new account, maybe he got locked out of the old one or something.

Keyser What-Now?

Joe Stewart: But we find on that account, there were more links back. One of the usernames that he used on the hacker forums was K Sensei. It turned out that the older “Chuck” account had the name Keyser Sensei, (a play on Keyser Soze, the “invisible man” in The Usual Suspects). So K Sensei fit in here. At that point, we’d found so many connections back to this guy that we were pretty certain that we were on the right trail. But he’s been really careful, he’s keeping all of his real-world data off social media, including his real name. We see that he’s in Montreal, and we know that he’s into BMWs and pit bulls. But other than that, there’s not much to go on, except for the name of the place he worked. So we started digging into that company, and went to the Quebec business registry to see who owned the company.

We find out everything about the employees – including that the business is registered to a name that matches one of the email addresses found on the Montreal racing forums under this “Chuck’s” account. He’s not just an employee of the business, he’s the owner of the business. So right there, we have his real name and his address. So we can go look the pictures on Google Streetview of his house – with his BMW standing out front, and he’s standing out there in front of it.

Think that’s the end of the Golden Chickens story? Nowhere close. In Part 2, we discover the two sides of badbullzvenom, the Moldovan connection, the independent information-bounty placed by a “brother hacker,” and how a bull terrier fan in Montreal comes to be connected with the malware-as-a-service product behind several high profile scams.