Golden Chickens Criminal Group

Golden Chickens is the name assigned to a criminal hacker group that has managed to establish itself as a prominent provider of malware threats in a MaaS (Malware-as-a-Service) scheme. The effectiveness of their malicious tools and Command-and-Control (C2, C&C) infrastructure has managed to attract even APT (Advanced Persistent Threat) groups as their clients. Golden Chickens offer their services on underground forums and their arsenal includes two building kits named Venom and Taurus as well as a sophisticated backdoor Trojan threat called more_eggs (Terra Loader, SpicyOmelette). 

Golden Chickens' Malicious Products

The first builder kit offered by Golden Chickens is VenomKit. It is a specialized tool that allows threat actors to craft custom malicious Rich Text File (RTF) documents. Several different vulnerabilities can be exploited as a breach point into the target's computer system including CVE-2018-8174, CVE-2017-11882, and CVE-2018-0802.  The second stage payload can be downloaded from a Web resource through batch and scriptlet files. 

The second builder is called Taurus Builder Kit. It is used for creating MS Word documents that carry malicious VBA (Visual Basic for Application) macro code. Using this method offers a higher chance to avoid detection by anti-malware solutions but it requires interaction from the victim in order to enable the malicious code. The VBA code is capable of downloading and executing additional malware payloads by exploiting legitimate Windows tools. The more_eggs backdoor is a sophisticated threat that has been employed in the operations of multiple APT groups such as Evilnum, FIN6, and the Cobalt Group. At its core, more_eggs is a JavaScript backdoor capable of sending a beacon to a C2 server and fetching additional end-stage malware payloads downloaded from an external Web resource. More_eggs has several attributes that can be customized according to the desires of the client such as the C2 server, beacon and sleep timers, and more.