Looking For Malware In All The Right Places – Part 2

What happens when the person you're tracking turns out to have an alter ego?
2 September 2022

badbullzvenom – not one person, but two?

In Part 1 of this story, we heard from Joe Stewart and Keegan Keplinger of eSentire about the process of tracking down the makers of one of the world’s most effective – and discreet -pieces of malware, known as Golden Chickens.

The activity of Golden Chickens was particularly interesting to the likes of eSentire – a global corporate cybersecurity agency – not least because it was elegantly simple in design, but also because it was used in some large-scale cyber-attacks against rich companies, big enough to make the stock market ripple when they got hit. It used simple Windows technology and the social media platform LinkedIn in the easiest, most logical way (fake job vacancies with job descriptions in doc form, fake resumes in doc form) to get into targeted companies’ systems. And it was never used indiscriminately – it was delivered with purpose, with targeting, with almost surgical strike ruthlessness. All of which combined to make it the cyber-weapon of choice for three of the world’s most powerful gangs of internet criminals, including Evilnum.

Tracking down the people behind Golden Chickens – and particularly behind its use as malware-as-a-service – was worth the time and the money of a company like eSentire.

The Story So Far

But when we left you, Joe had tracked the supposed mastermind behind Golden Chickens, the user pf the internet handle “badbullzvenom,” from leaked transcripts of hacker forum chat, through of all things, MySpace, to Pinterest, to Facebook, to local buying and selling boards in Montreal, Canada, to a real life picture of the fake-name that was “Chuck from Montreal.”

Chuck from Montreal was also very likely to be badbullzvenom. He was a fan of English pit bulls – yes, disappointingly, they’re where the “bullz” in his web handle came from. He was a fan of the BMW 5 series. And now eSentire’s Threat Response Unit (TRU) knew where he worked, where he lived, and what he looked like.

But if you thought it was all over bar the SWAT team, you’d have been disappointed. The story of Golden Chickens was far from over. Joe takes up the tale.

Joe Stewart: So we had the picture of “Chuck from Montreal,” and while the face is pixelated, you can get an idea of the guy. He seems pretty proud, you know, he’s got his big cigar in his hands, sitting on the beach, living the life, and he’s selling all kinds of Canadian credit cards, and other things on the black market.

The Party of the Second Part

And what we determined about this guy is that, putting together all the information we have about where he works, what he does, have a feel for his skill level. And then we realize – This guy probably isn’t a coder. He probably doesn’t have the skills to develop the actual malware. So he’s involved somehow, either cashing out the stolen credit cards that are gained from the scheme, or he’s just some other kind of partner providing some sort of service.

But there’s got to be someone else involved here. And in fact, going back and taking another look through his posts on the hacker forums, we see multiple mentions of the fact that he shares this account with a partner.

And going into some other threads, we not only found this partner, but we found outsome things about them, too. In various threads, they claim to speak English, French and Romanian, but admit they’re not so good at Russian. Chuck from Montreal, this is not. At one point, they even claim to be from Moldova. We’re not especially convinced by that, because of their use of the Romanian language, but it’s important to understand what we have at this point. We have Chuck-who-isn’t-Chuck, but is in Montreal, maybe handing the selling on of the proceeds of the scams – credit cards and other goods, possibly acquired illegally. And then there’s Player 2, the Developer, probably sitting in Romania, both of them using the same account and the same handle – badbullzvenom at various points on hacker forums.

THQ: A criminal online gestalt.

Joe Stewart: Yeah, I mean, back in 2015, when the first report came out, you know, they had badbullzvenom mentioned in them, and plenty of these hacker forums are still online, and you could go searching them and see those posts. But when we came back to do this, and 2022, most of those people and most of those posts had gone away. We had to rely on other people’s archives that they had thankfully saved, or just the few hacker forums that were still alive that had posts on them.

Mutiny and the Bounty

Joe Stewart: And then there was the $200,000 bounty on his head.

THQ: The…

Joe Stewart: There was a forum where someone put a bounty of $200,000 on “the head” of bullzbadvenom – we’re not sure if they were a former customer, someone he sold malware to, or a former partner, or whatever. Someone was unhappy with “him,” anyhow – they posted a bounty on his head.

THQ: That got real in a hurry. Are we talking his “metaphorical” head – as in information about his true identity, or… his actual head?

Joe Stewart: The thing is, in some cases, you might have a regional hacker forum – say one for Romania. Being a smaller country, with most of the population probably being congregated in Bucharest, or similar large cities, some of these guys probably know each other in real life, and are probably hanging out in real life. People might want to collect on that $200,000 bounty if they actually know who he is.

THQ: The question is whether the bounty-poster would quibble. After all, badbullzvenom is two people, and we know who one of them is…

Joe Stewart: Tempting. We could buy a lot more threads with that bounty. But we want to know more. There will be more on this story as it develops – we have found some very interesting, different threads on the Romanian half of badbullzvenom, the half we believe is absolutely the coder behind the malware. So there’ll be more to say in due course…

THQ: But for now we have eyes on Chuck in Montreal, presumably in collaboration with local law enforcement, and the second half of the puzzle is ongoing in Romania? Now that you’re going public with this, is there any danger that the Romanian half will get spooked go completely dark?

Keegan Keplinger: I mean, there’s only so much you can do at this point. I mean, we’ve discovered so much about him, and you know, that it’s only a matter of time, really, before we pick up the current trail, right? We’ve got all these archives on these hacker forums and all of these posts, so, sure, he might try and run but I mean, where’s he going run to? Sitting in Romania is actually probably pretty safe, if he’s there, or Moldova or somewhere like that. I mean, you don’t hear a lot of arrests coming out of Canadian or US law enforcement in those in those regions. So he might feel pretty safe as it is.

THQ: For now. Here’s to Part 3 of the story – whenever it’s ready.