Golden Chickens (Venom Spider) Threat Actor

Golden Chickens
Other Names	badbullzvenom Venom Spider Frapstar
Location	Moldova
Date of initial activity	2012
Suspected Attribution	Cybercriminals
Motivation	Financial Gain

Overview

The Golden Chickens malware suite has emerged as a highly sophisticated and stealthy tool in the world of cybercrime, serving as the preferred weapon for some of the most notorious cybercriminal groups. For the past 16 months, eSentire’s Threat Response Unit (TRU) has meticulously tracked and analyzed this dangerous Malware-as-a-Service (MaaS), uncovering its use by the Russia-based FIN6 and Cobalt Group, as well as the Belarus-based Evilnum group. Collectively, these groups have caused financial losses exceeding USD $1.5 billion, using Golden Chickens to execute targeted attacks against financial institutions, e-commerce platforms, and other critical industries.

Golden Chickens is not just another piece of malware; it is a carefully designed, multi-component suite that enables cybercriminals to infiltrate systems with remarkable precision. The suite’s most infamous component, known as “more_eggs,” is particularly adept at deceiving its victims through spear phishing campaigns. These campaigns often target corporate employees on platforms like LinkedIn, using tailored messages that exploit the victims’ job roles and interests. The versatility and effectiveness of Golden Chickens have made it a staple for high-stakes cybercrime operations, enabling these groups to conduct devastating attacks with minimal detection.

One of the most significant revelations in the fight against Golden Chickens came when eSentire’s TRU identified the operator behind this sophisticated malware suite. Known by the alias “badbullzvenom,” this threat actor has been linked to various cybercriminal forums and operations, including partnerships with the infamous Cobalt Gang. Further investigations have also connected “badbullzvenom” to a second threat actor, “Frapstar,” believed to be based in Montreal, Canada. This identification marks a critical step in understanding the infrastructure and operations behind Golden Chickens, providing cybersecurity professionals with invaluable insights into the malware’s origins and evolution.

Attack vectors

Phishing

Software Vulnerabilities

How they work

The threat actor’s primary toolset includes a suite of malware strains such as More_eggs, TerraLoader, TerraPreter, and TerraStealer. These tools are designed to evade detection by traditional security solutions and are often delivered via phishing emails or malicious links. The malware can perform a variety of tasks, including credential theft, data exfiltration, and lateral movement within a compromised network. More_eggs, one of the most well-known tools in their arsenal, is particularly notorious for its use of legitimate Windows processes to execute its payload, making it difficult to detect and remove.

Golden Chickens operates by offering these tools to other cybercriminals on a subscription basis, enabling a broader range of malicious actors to launch sophisticated attacks without the need for extensive technical expertise. This approach not only expands the reach of Golden Chickens but also increases the complexity of attributing specific attacks to them, as their tools are used by multiple threat actors. The group’s ability to continuously update and improve their malware, combined with their use of obfuscation techniques, ensures that their operations remain under the radar for extended periods.

In addition to their technical prowess, Golden Chickens is known for its careful selection of targets. They often focus on organizations that possess valuable data or have a high potential for financial gain. Once inside a network, the threat actor typically engages in reconnaissance to identify critical assets before deploying their malware. This meticulous approach allows them to maximize the impact of their attacks, often resulting in significant financial losses for the victims. As cybersecurity defenses evolve, Golden Chickens continues to adapt, making them a persistent and dangerous threat in the ever-changing landscape of cybercrime.

MITRE Tactics and Techniques

Phishing: Spear Phishing Link (T1566.002)

Golden Chickens often employs spear phishing campaigns, particularly on platforms like LinkedIn, where tailored messages lure victims into clicking malicious links.

Execution: Command and Scripting Interpreter (T1059)

The malware suite uses scripting languages, such as PowerShell or JavaScript, to execute payloads and establish persistence on the victim’s system.

Execution: User Execution (T1204)

Golden Chickens relies on user interaction, such as opening a malicious file or clicking a link, to trigger the execution of its malware components.

Defense Evasion: Obfuscated Files or Information (T1027)

The malware employs obfuscation techniques to hide its code and evade detection by security solutions.

Defense Evasion: Masquerading (T1036)

Golden Chickens disguises its malicious components as legitimate files or processes, making it difficult for victims and security tools to recognize the threat.

Credential Access: Input Capture (T1056)

The malware suite includes components that can capture user inputs, such as keystrokes, to steal credentials and other sensitive information.

Persistence: Office Application Startup (T1137)

Golden Chickens can establish persistence by modifying the startup behavior of Office applications, ensuring that its payloads are executed whenever the user opens these applications.

Privilege Escalation: Exploitation for Privilege Escalation (T1068)

The threat actor may exploit vulnerabilities in the operating system or applications to gain higher privileges on the compromised system.

Lateral Movement: Remote Services (T1021)

Once inside a network, Golden Chickens can move laterally using remote services, such as Remote Desktop Protocol (RDP), to spread across systems.

Command and Control: Application Layer Protocol (T1071)

The malware communicates with its command-and-control servers using standard application layer protocols, such as HTTP/HTTPS, to blend in with regular network traffic.

Exfiltration: Exfiltration Over C2 Channel (T1041)

Data stolen by Golden Chickens is often exfiltrated through the same channels used for command and control, ensuring a seamless flow of information between the infected system and the threat actor.