Research Saturday 9.26.20
Ep 153 | 9.26.20

What came first, the Golden Chickens or more_eggs?


Dave Bittner: Hello everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Chaz Hobson: So, Golden Chickens is actually a malware-as-a-service operated by Badbullzvenom, which is a moniker used by an unknown individual on underground forums.

Dave Bittner: That's Chaz Hobson. He's Vice President of Threat Intelligence at QuoIntelligence. The research we're discussing today is titled, "The Latest Golden Chickens Malware-as-a-Service Tools' Updates and Observed Attacks."

Chaz Hobson: Currently, we were able to classify up to eight threat actors that have used the Golden Chickens MaaS in the last four years. Top-tier threat actors, including FIN6 and Cobalt Group, have conducted campaigns utilizing tools and infrastructure from the GC MaaS. And all the threat actors using the GC MaaS mainly target the financial and retail sectors, although we also observed a few campaigns targeting government and chemical companies.

Dave Bittner: Hmm.

Chaz Hobson: Yes, so the MaaS, it supports clients at every stage of the kill chain, both toolkits and infrastructure, covering essentially the structure of an attack, enabling even low-skilled threat actors to execute complex, targeted attack campaigns. An interesting note about this MaaS is that the operator only sells his tools and services for targeted attacks, so clients who are caught conducting widespread campaigns are banned from using the service.

Chaz Hobson: So, since 2018, we've tracked the evolution of the GC MaaS, the activities of its operator, Badbullzvenom, as well as the different threat actors using it. And then by 2019, we uncovered and classified nearly a dozen tools linked to the MaaS. So, since at least 2014, the MaaS operator has sold services on top-tier Russian-speaking underground forums.

Dave Bittner: Well, let's dig into some of the details together. I mean, can you take us through – what are some of the elements that make up the Golden Chickens set of malware tools?

Chaz Hobson: Yeah. So, like I mentioned previously, in 2019, we declassified nearly a dozen tools that we know of that are attributed to the Golden Chickens MaaS. And pretty much this research is from throughout March and April of this year, we observed four attacks utilizing various tools from the MaaS portfolio. And at the time of our writing, we were declassifying our findings for the general public. In the campaigns that we observed during our analysis, we uncovered the MaaS operator created new variants of three existing tools in the service portfolio, with notable code updates to TerraLoader, VenomLNK, and more_eggs.

Dave Bittner: And what do each of those do?

Chaz Hobson:  Yes, so in our blog, we talk about, as I mentioned, we observed the notable updates to the three tools. So, TerraLoader is a multipurpose loader which is written in PureBasic. It's essentially a flagship product of the GC MaaS service portfolio, and it's used as a framework to drop second-stage malware. The updates that we observed for TerraLoader were the new variant used different string deobfuscation and obfuscation, brute-forcing implementation, and anti-analysis techniques. Additionally, the latest variants that we've observed after this research were also 64-bit variants.

Chaz Hobson: So then we have VenomLNK, which is a Windows shortcut file that is likely generated by a newer version of the VenomKit building kit. The updates that we observed was that the new variant uses a new volume serial number, an evolved execution scheme, and only the local path of the Windows command prompt. So, as you know, an LNK file is just a Windows shortcut file, so there's not a lot of code to observe. So these minor changes were the updates that we've seen from the older versions to the newest version. The thing that leads to the linking is the tools that are actually downloaded thereafter – right? – and the C2s which are being used.

Chaz Hobson: And the last tool that we also noticed notable code updates to in this research was more_eggs. So, you might have seen more_eggs previously being highlighted by other researchers as perhaps "Spicy Omelette." But more_eggs is attributed to this MaaS. It's a JavaScript backdoor malware that's capable of beaconing to a fixed C2 server and executing additional payloads downloaded from an external web resource. More_eggs has been widely used by Cobalt in the past, and it's still being used by FIN6. The updates that we observed is that the new variant includes a minimum delay before executing or retrying an action, and cleans up memory after using it. 

Dave Bittner: Hmm.

Chaz Hobson: And these updates indicate that the operator continues to regularly evolve and improve the toolset within his service portfolio and adapt new techniques over time, such as in a campaign that I will describe to you – we highlight in our research he's leveraging TerraLoader to directly inject a payload into memory.

Dave Bittner: Well, let's go through some of the analysis that you did in your research. I mean, can you take us through some of the sightings of this that you all have documented?

Chaz Hobson: Yeah. So, like I was mentioning before, we observe these campaigns during March and April of this year. It was four attacks utilizing various tools. And then overall, we attribute the separately conducted campaigns with confidence varying from low to moderate to FIN6, and our threat actors, GC05 and GC06.tmp. And just to clarify a little bit on GC05 and GC06, we categorize the multiple GC MaaS clients as "GC" followed by a number, based on their overall motives, means, and opportunities. And then additionally, we append ".tmp to the GC categorization to represent that we are still investigating their exact singular attribution.

Dave Bittner: Hmm.

Chaz Hobson: So, the first sighting is related to GC06.tmp And this is the Excel 4.0 macro sheet was used to deliver the GC MaaS infection chain. So, based on our observation, this campaign likely targeted a large German chemical company. Four tools from the GC portfolio were utilized during the campaign, of which one payload is an information stealer we dubbed TerraStealer, but it's also known as "SONE" or "StealerOne." And this also was documented previously in a report from Visa, which they entitled "FIN6 Cybercrime Group Expands Threat to E-commerce Merchants."

Dave Bittner: Well, let's go through some of the other sightings here. What are some of the other places where this has shown up?

Chaz Hobson: Yes. So, aside from this sighting, we also observed three other ones. So, the second sighting is related to GC05. And this is a new campaign with familiar tactics, techniques and, procedures, which involved a financially themed set of initial access artifacts, including a new VenomLNK variant delivered via a spearphishing email. Based on our observations, the campaign aligns with activities and TTPs we previously attributed to GC05, a threat actor we've tracked since September 2019 who leverages the GC MaaS extensively, especially VenomLNK, more_eggs, and TerraStealer.

Chaz Hobson: So, after sighting 2, we're moving into sighting 3 and 4 which are related to – the two attacks share some similar characteristics of previously observed attack activity attributed to FIN6. So, these next two scenarios or sightings are classified as such, and a financially motivated – FIN6 is a financially motivated threat actor group. Based on our analysis of the new campaigns, they might be related to FIN6. We are still working on the attribution.

Chaz Hobson: So, there's sighting 3, which is fake job spearphishing delivering VenomLNK. The file names for both the VenomLNK variant and the archive it was contained within aligned with the theme for the known fake job campaign attributed to FIN6 by both researchers at IBM X-Force and Proofpoint. And this was conducted since at least the middle of 2018. 

Chaz Hobson: Sighting 4, this is TerraLoader directly injecting Metasploit's Meterpreter. The observed new TerraLoader variant I previously highlighted had a modified payload delivery mechanism which decrypts the included payload – which is shellcode – and loaded directly into memory. During our analysis, we identified two DLLs in memory. One was determined to be OpenSSL and the other was Meterpreter, which is a full-featured backdoor.

Chaz Hobson: Just to also add to this, previously in 2019 we identified FIN6 as the only GC MaaS customer using a variation of the approach described above. Further, to the attribution of the April 2019 case, the involved C2 domain registered in January 2019 is also a domain we observed in attack activity we already attributed earlier to FIN6. In April 2020 we detected another attack with the same approach as 2019.

Chaz Hobson: So, with these observations and these sightings, then it's clear that the GC MaaS remains as a preferred service provider for top-tier e-crime threat actor groups due to Badbullzvenom's consistent updates and improvements of tools, and its ability to maintain underlying network infrastructure.

Dave Bittner: And so what are your recommendations for folks to be able to detect this and protect themselves?

Chaz Hobson: Yeah, so, in general, the continued adoption of threat actors leveraging MaaS plays two roles in the cyber threat landscape. So, it enables less-sophisticated actors to execute attack campaigns against high-value targets, which may otherwise be out of scope due to the potentially multilayer perimeter defenses. And it creates a cluster of technical indicators from the same infrastructure that complicates attribution efforts. We always map the tools offered by the GC MaaS to the MITRE attack framework so defenders understand the tactics and techniques which are being employed, so that they can enhance their detection and protection mechanisms. Additionally, we share the full indicators of compromise for attack campaigns so they can be used to defend the organization's perimeter.

Dave Bittner: What is your assessment of this group and in terms of the overall sophistication? Where do you rank them? Is this a sophisticated organization we're dealing with?

Chaz Hobson: Yeah, so, over time, as we continue to track the GC MaaS and the operator, it's very clear that it is a very preferred MaaS in the e-crime underground and that the tools are very useful in executing targeted attacks. This is our – regarding attribution, the way that we are thinking about this and approaching it is that when profiling e-crime threat actors, we always deal with the hypothesis that the malware and the key to infrastructure we are analyzing do not belong to the threat actor per se, but rather to the used MaaS provider. In the last years, we've noticed the tendency of threat actors outsourcing even more parts of the kill-chain to third parties by using and offering MaaS solutions.

Chaz Hobson: When we confirm the use of our GC MaaS, the attribution process focuses on how and when threat actors used it and who they targeted. When attributing GC threat actors to observed attack campaigns, we have identified some unique identifiers which we hypothesize and proven to be true for independently attributing actors using the GC MaaS. Beyond TTPs, configuration variables within the more_eggs configuration and the C2 gate used are independent values which are attributable.

Dave Bittner: Our thanks to Chaz Hobson for joining us. The research is titled, "Latest Golden Chickens Malware-as-a-Service Tools' Updates and Observed Attacks." We'll have a link in the show notes.

Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.