#1238558: Golden Chickens: Uncovering A Malware-as-a-Service (MaaS) Provider and Two New Threat Actors Using It

Description: Over the last few years, QuoScient’s Intelligence Operations Team (QuoINT) has tracked activities attributed to the Cobalt group, and observed their notable evolution and continuously improving Tactics, Techniques, and Procedures (TTPs).

Since September 2018, we have identified multiple attacks that share similar TTPs used by Cobalt during a specific timeframe but exhibit enough differences to attribute them to separate threat actors. This blog post provides an overview on a specific Malware-as-a-Service (MaaS) used within the e-Crime threat actor landscape. It also provides details on two different threat actors using the MaaS that fall under the umbrella of a family we dubbed Golden Chickens: GC01 and GC02. The success of GC operations heavily relies on a specific MaaS sold in underground forums, which provides customers with the malwares and the infrastructure they need for targeted attacks. The service owner provides the MaaS through the use of the following toolkits: Venom and Taurus building kits for crafting documents used to deliver the attack, and the more_eggs (aka Terra Loader, SpicyOmelette) backdoor for taking full control of the infected computer.

Between November 2017 and July 2018, we attributed to GC02 five spear phishing waves which indiscriminately targeted companies and organizations in at least India and the United States. As a result of using the same MaaS provider, GC02 and Cobalt group’s TTPs and infrastructure strongly overlapped in May 2018, making it hard at first glance to differentiate the two threat actors.

Between August and October 2018, we attributed to GC01 nine spear phishing waves targeting multiple companies and organizations operating in the financial industry. Throughout the campaign, we observed the installation of multiple Remote Access Tool (RAT) variations as the result of a successfully compromised victim machine.

By highlighting the multi-layer infrastructure adopted by Cobalt and Golden Chickens, as well as the multi-client business model of the MaaS behind it, we emphasize the difficulty of performing reliable attribution for cyberattacks, and the high uncertainty that analysts are confronted with during the process. To note, other researchers reported the same Indicators of Compromise (IoC) and C2 infrastructure covered in this blog post. We hope that our attribution will clarify the current threat landscape and make the covered threat actor profiles more accurate.

The following blog post is a preview of the Intelligence Assessment we will disseminate to our clients, partners, and vetted requesters.

Cyber attribution is becoming increasingly challenging as threat actors frequently use false flag techniques and shared infrastructure to increase the resiliency of their operations against takedowns and law enforcement investigations. Especially for e-Crime actors, it is a common practice to rent the same bulletproof infrastructure or botnet used by other e-Crime groups, resulting in the increased likelihood for an overlap of C2 servers. In the last years, we have noted a tendency of threat actors outsourcing even more parts of the kill-chain to third parties by using/offering MaaS solutions. Figure 1 shows an example of such a network where multiple stakeholders are involved.
Figure 1 — Example of attribution complexity

A threat actor can buy several malware from multiple developers, rent the C2 infrastructure from various providers, and deliver the attack vector to victims from yet another provider. This compartmentalized business relationship guarantees the threat actor an elevated level of privacy and deniability since the involved stakeholders rarely know the full scale of the operation. On the other hand, those providers offering MaaS solutions simplify the entire process through One Stop Shop solutions, where one single entity sells and rents both the malware and the infrastructure needed for an attack.

When profiling e-Crime threat actors, we always deal with the hypothesis that the malware and C2 infrastructure we are analyzing do not belong to the threat actor per se, but rather to the used MaaS provider. When we confirm the use of a MaaS, the attribution process focuses on how and when threat actors used it, and who they targeted. By using such an approach, we were able to differentiate past spear phishing campaigns mistakenly attributed to the Cobalt group and characterize two distinct threat actors — GC01 and GC02 — and the MaaS used by them to carry out their attacks.
Golden Chickens’ MaaS

From November 2017 to October 2018, we attributed 14 campaigns to the GC threat actors that used a specific MaaS provider (hereinafter “the Provider”) offered by a known individual (hereinafter “the Provider Operator”). The following section explains the operational model of the Provider, and the toolkits used to deliver the requested service to paying customers.
Operational workflow

A typical business case between a threat actor and the Provider is shown in Figure 2 and detailed below.
Figure 2 –The Provider operational workflow

1. Threat actors buy the service offered and then give the Provider Operator the final payload to be executed on the infected machine. Since we have observed the same threat actor using the Provider to different extents, we assess that the Provider Operator’s offering is modular.

2. The Provider Operator builds the malicious document (maldoc), the backdoor, and prepares the server infrastructure needed for the execution of the attack. Next, the backdoor is stored on a webserver and the full URL path of it is embedded into the maldoc. Lastly, the C2 panel that the backdoor will beacon to is set up.

3. The Provider returns the maldoc to the threat actor. Although not confirmed, the Provider Operator also likely delivers the access details for the backdoor’s C2 web panel.

4. The threat actor disseminates (directly or through the use of a botnet) the maldoc via spear phishing.

5. Once the maldoc is executed on a victim’s machine, it will retrieve and execute the backdoor from the hardcoded web location.

6. The backdoor beacons to the hardcoded C2 on a regular basis and executes the commands it receives.

7. Finally, the threat actor (or the Provider) will review the system details of the infected machine reported by the backdoor, and eventually deploy the final payload.
Building Kits Used

The Provider relies on the use of specific malicious artifacts advertised in the underground since 2017. Those artifacts are generated by three building kits and offered to paying customers with the supporting C2 infrastructure.

VenomKit. VenomKit is a tool that threat actors can use to craft malicious Rich Text File (RTF) documents that exploit multiple vulnerabilities, including CVE-2017–11882, CVE-2018–0802, and CVE-2018–8174. Successful exploitation leads to batch and scriptlet files being dropped and executed in order to download the second stage payload from a Web resource. The AV detection rate for RTF documents generated by VenomKit is moderate to high due to the exploitation of known vulnerabilities.

Taurus Builder Kit. The Taurus Builder Kit generates Microsoft Word documents weaponized with malicious Visual Basic for Application (VBA) macro code. Unlike the malicious RTFs created by VenomKit, the weaponized Word documents require user interaction in order to enable the contained malicious code. On the other hand, documents generated by this kit are more resilient to AV detection due to the use of multiple layers of obfuscation in the VBA code.

Once the VBA code is enabled by the user, documents created by Taurus Builder Kit will download and execute additional malware by using multiple legit Windows tools in order to bypass AppLocker.

More_Eggs Backdoor. More_eggs is a JavaScript (JS) backdoor capable of beaconing to a fixed C2 server and executing additional payloads downloaded from an external Web resource. The backdoor is delivered encrypted inside of another JavaScript, with changing function names, variable names, and encryption keys. Overall, the technique used allows the Provider Operator to guarantee its clients a low AV detection rate. The more_eggs building kit allows customization of its multiple variables, for values such as the C2 server, beaconing and sleeping time, and part of the cryptographic key used for ciphering the C2 communications. Figure 3 shows an example of more_eggs configuration that includes the version number BV, C2 address Gate, and part of the ciphering key used to encrypt C2 communications, Rkey.
Figure 3– Excerpt of more_eggs backdoor configured variables

Read the rest in this link


In general, the continued adoption of threat actors leveraging MaaS plays two roles in the cyber threat landscape: (a) it enables less sophisticated actors to execute attack campaigns against high value targets, which may otherwise be out of scope due to the potentially multi-layer perimeter defenses, and; (b) it creates a cluster of technical indicators from the same infrastructure that complicates attribution efforts. During our analysis, we identified three threat actors utilizing one particular MaaS which has operated for almost two years, proving its success and profitability. As a result, this scenario of multiple actors using the same MaaS further corroborates why attribution of campaigns incorporating aspects of MaaS becomes more complex to distinguish due to the presumable overlap in technical indicators.
First Aid: GC01

Email Subjects:

Payment Details REF # 18110486098

Payment Details REF # 18110486098

Re: Payment Ref 34981***** receive problem

Re: Bank query / S-170526–005399


Fund Transfer 08-October-2018

Confirmations on October 16, 2018


Email Attachments (Not-Malicious PDF with Google Redirector)







Google Redirector links







Landing Page















Email Subjects:

Contract April

Description of my complaint about your service

Email Attachments (Not-Malicious PDF with Google Redirector)



Google Redirector links




Landing Page







GC Maas C2 infrastructure






















More info: https://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648

Date added Nov. 29, 2018, 11:17 p.m.
Source Medium
  • All New Malware Alerts - New Reports / IOCs in
  • . APTs - Advanced Persistent Threats - New Reports in
  • . APTs - Russia - New Reports in
  • (Probably Russia) - More_Eggs Malware - JavaScript backdoor used by the Cobalt group
  • Russia - Cobint Banking Malware (Used by Cobalt Group)
  • Russia - FIN7 Group/ Anunak / Carbanak Cyber Gang (Same as Cobalt Hacking Group?)
  • Russian - Cobalt hacker group / TEMP.Metastrike (also linked to Buhtrap) / Gold Kingswood
  • Russian - Cobalt Strike (Used by Cobalt Hacker Group)
  • Russia - SpicyOmelette Banking Malware - used by Cobalt Hacking Group