CyberWire Daily - What came first, the Golden Chickens or more_eggs? [Research Saturday]
Episode Date: September 26, 2020Throughout March and April, QuoIntelligence (QuoINT) observed four attacks (i.e. sightings) utilizing various tools from the Golden Chickens (GC) Malware-as-a-Service (MaaS) portfolio – they recentl...y declassified their findings, after first notifying their clients. Further, during their analysis of the sightings, QuoIntelligence confirmed the GC MaaS Operator, Badbullzvenom, released improved variants with code updates to three tools in the service portfolio. Joining us in this week's Research Saturday to discuss the research is QuoIntelligence's Vice President of Threat Intelligence, Chaz Hobson. The research can be found here: Latest Golden Chickens MaaS Tools Updates and Observed Attacks Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting
ourselves in a rapidly evolving cyberspace. Thanks for joining us.
So Golden Chickens is actually a malware as a service operated by Bad Pulse Venom,
which is a moniker used by unknown individual in underground forums.
That's Chaz Hobson.
He's vice president of threat intelligence at Quo Intelligence.
The research we're discussing today is titled
The Latest Golden Chicken's Malware-as-a-Service Tools, Updates, and Observed Attacks.
observed attacks. continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your attack surface with public-facing
IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps,
not the entire network, continuously verifying every request based on identity and context,
simplifying security management with AI-powered automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Currently, we were able to classify up to eight threat actors that have used the Golden Chickens mask in the last four years.
Top tier threat actors, including FEN6 and Kobo Group, have conducted campaigns utilizing tools and infrastructure from the GC Mass.
And all the threat actors using the GC Mass mainly target the financial and retail sectors, although we also observed a few campaigns targeting government and chemical companies.
Yes. So the Mass, it supports clients at every stage of the kill chain, both toolkits and the infrastructure, covering essentially the structure of an attack, enabling even low-skilled threat actors to execute complex targeted attack campaigns.
An interesting note about this MAS is that the operator only sells his tools and services for targeted attacks.
So clients who are caught conducting
widespread campaigns are banned from using the service.
So since 2018, we've tracked the evolution of the GCMAS,
the activities of its operator, Bad Bulls Venom, as well as the different
threat actors using it. And then by 2019, we uncovered and classified nearly a
dozen tools linked to the mask.
So since at least 2014, the mask operator has sold services on top-tier Russian-speaking underground forums.
Well, let's dig into some of the details together.
I mean, can you take us through what are some of the elements that make up the Golden Chicken's set of malware tools?
Yeah, so like I mentioned previously, in 2009, we declassified nearly a dozen tools that we know of
that are attributed to the Golden Chicken's mass.
And pretty much this research is from throughout March and April of this year,
we observed four attacks utilizing various tools
from the MAS portfolio.
And at the time of our writing,
we were declassifying our findings for the general public.
In the campaigns that we observed during our analysis,
we uncovered the MAS operator created new variants
of three existing tools in the service portfolio
with notable code updates to TerraLoader, Venom LNK, and More Eggs.
And what do each of those do?
Yes. So in our blog, we talk about, as I mentioned, we observed the notable updates to the three tools.
So TerraLoader is a multi-purpose loader, which is written in pure basic.
It's essentially a flagship product of the GCMAS service portfolio, and it's used as a framework to drop second-stage malware.
The updates that we observed for TerraLoader were the new variant used different string de-offiscation and obfuscation, brute forcing implementation, and anti-analysis techniques.
Additionally, the latest variants that we've observed after this research were also 64-bit variants.
So then we have Venom LNK, which is a Windows shortcut file that is likely generated by a newer version of the Venom kit building kit.
The updates that we observed was that the new variant uses a new volume serial number,
an evolved execution scheme, and only the local path of the Windows command prompt.
So as you know, an LNK file is just a Windows shortcut file, so there's not a lot of code to observe.
So these minor changes were the updates that we've seen from the older versions to the newest versions.
The thing that leads to the linking is the tools that are actually downloaded thereafter, right, and the C2s which are being used.
downloaded thereafter, right, in the C2s which are being used. And the last tool that we also noticed notable code updates to in this research was MoreEggs. So you might have seen MoreEggs
previously being highlighted by other researchers as perhaps spicy omelet, but MoreEggs is attributed
to this mass. It's a JavaScript backdoor malware that's capable of beaconing to a fixed C2 server and executing additional payloads downloaded from an external web resource.
More Eggs has been widely used by Cobalt in the past and still being used by Fend6.
The updates that we observed is that the new variant includes a minimum delay before executing or retrying an action and cleans up memory after using it.
And these updates indicate that the operator continues to regularly evolve and improve the tool set within his service portfolio and adapt new techniques over time, such as in a campaign that I will describe to you.
time, such as in a campaign that I will describe to you, we highlight in our research, he's leveraging TerraLoader to directly inject a payload into memory.
Well, let's go through some of the analysis that you did in your research.
I mean, can you take us through some of the sightings of this that you all have documented?
Yeah.
So like I was mentioning before, we observed these campaigns during March and April
of this year. It was four attacks utilizing various tools. And then overall, we attribute
the separately conducted campaigns with confidence varying from low to moderate to FEN6
and our threat actors GC05 and GC06 temp. And just to clarify a little bit on GC05 and GC06, we categorize the
multiple GC mass clients as GC followed by a number based on their overall motives, means,
and opportunities. And then additionally, we append.temp to the GC categorization to represent that we are still investigating their exact
singular attribution. So the first sighting is related to GC06 temp, and this is the XL4.0
macro sheet was used to deliver the GC mass infection chain. So based on our observation,
GC mass infection chain. So based on our observation, this campaign likely targeted a large German chemical company. Four tools from the GC portfolio were utilized during the campaign,
of which one payload is an information stealer we dubbed Terror Stealer, but it's also known as
Sone or Stealer One. And this also was documented previously in a report from Visa, which they
entitled FinSIC's Cybercrime Group Expands Threat to E-commerce Merchants.
Well, let's go through some of the other sightings here. What are some of the other
places where this has shown up? Yes. So aside from this sighting, we also observed three other ones.
So the second sighting is related to GC05.
And this is a new campaign with familiar tactics, techniques and procedures, which involve the financially themed set of initial access artifacts, including a new venom LNK variant delivered via spear phishing email based on our observations
the campaign aligns with activities and ttps we previously attributed to gc05 a threat actor we've
tracked since september 2019 who leverages the gc mass extensively especially venom lnk more eggs especially Venom LNK, More Eggs, and Terror Stealer.
So after Sighting 2, we're moving into Sighting 3 and 4,
which are related to the two attacks,
share some similar characteristics of previously observed attack activity
attributed to FEN6.
So these next two scenarios or sightings are classified as such
and a financially motivated FEN6 is a financially motivated threat actor group. Based on our analysis
of the new campaigns they might be related to FEN6. We are still working on the attribution.
So there's sighting three which is fake job spear phishing, delivering venom LNK.
The file names for both the venom LNK variant and the archive it was contained within aligned with the theme for the known fake job campaign attributed to FEN6 by both researchers at IBM X-Force and Proofpoint.
And this was conducted since at least the middle of 2018.
Citing four, this is TerraLoader directly injecting Metasploit's meterpreter.
The observed new TerraLoader variant I previously highlighted had a modified payload delivery mechanism,
which decrypts the included payload, which is shellcode, and loads it directly into memory.
During our analysis, we identified two DLLs in memory.
One was determined to be OpenSSL, and the other was Meterpreter, which is a full-featured backdoor.
Just to also add to this, previously in 2019, we identified FEN6 as the only GC-MAS customer using a variation
of the approach described above. Further to the attribution of the April 2019 case,
the involved C2 domain registered in January 2019 is also a domain we observed an attack activity we already attributed earlier to FEN6.
In April 2020, we detected another attack with the same approach as 2019.
masks remains as a preferred service provider for top tier e-crime threat actor groups due to Babel Venom's consistent updates and improvements of tools and its ability to maintain underlying
network infrastructure. And so what are your recommendations for folks to be able to detect
this and protect themselves? Yeah, so in general, the continued adoption of threat actors leveraging masks
plays two roles in the cyber threat landscape.
So it enables less sophisticated actors to execute attack campaigns against high-value targets,
which may otherwise be out of scope due to the potentially multi-layer perimeter defenses and it creates a
cluster of technical indicators from the same infrastructure that complicates attribution
efforts. We always map the tools offered by the DCMAS to the MITRE ATT&CK framework so defenders
understand the tactics and techniques which are being employed so that they can enhance
their detection and protection mechanisms. Additionally, we share the full indicators
of compromise for attack campaigns so they can be used to defend the organization's perimeter.
What is your assessment of this group in terms of the overall sophistication? Where do you
rank them? Or is this a sophisticated organization we're dealing with?
Yeah, so over time, as we've continued to track the GC mass and the operator,
it's very clear that it is a very preferred mass in the e-crime underground
and that the tools are very useful in executing targeted attacks.
This is our regarding attribution. The way that we are thinking about this and approaching it is
that when profiling e-crime threat actors, we always deal with the hypothesis that the malware and the C2
infrastructure we are analyzing do not belong to the threat actor per se, but rather to
the used mask provider.
In the last years, we've noticed the tendency of threat actors outsourcing even more parts
of the kill chain to third parties by using and offering mass solutions.
When we confirm the use of our GC mass, the attribution process focuses on how and when
threat actors used it and who they targeted.
When attributing GC threat actors to observed attack campaigns, we have identified some unique identifiers which we hypothesize and proven
to be true for independently attributing actors using the GCMath. Beyond TTPs, configuration
variables within the More Eggs configuration and the C2 gate used are independent values
which are attributable.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. Our thanks to Chas Hobson for joining us. The research is titled Latest
Golden Chickens Malware as a Service Tools Updates updates, and observed attacks, we'll have a link in the show notes.
The CyberWire Research Saturday
is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is
Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Bond,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, And I'm Dave Bittner.
Thanks for listening.