The chickens have come home to roost for one of the hackers behind an insidious malware.

Cyber sleuths at Waterloo-based eSentire say they’ve unmasked “Chuck from Montreal,” one of the so-called “threat actors” associated with the Golden Chickens suite of software, which has been used by international crime gangs such as Russia’s notorious FIN6 and Cobalt Group, and the Belarus-based Evilnum.

eSentire has not publicly named the man – who has used such aliases as “Chuck from Montreal," “badbullzvenom” and "Frapstar" – but they have provided law enforcement with detailed information, including the man’s name, birth date, home address, social media accounts, the names of parents, siblings and friends, his hobbies (BMWs and English Bull Terriers), an interest in stolen Canadian credit card accounts, a possible association with a Haitian street gang, and a number of photos from social media.

The company also found that a second person, likely from Romania and possibly connected to the Cobalt Group, also shared the badbullzvenom account.

As well, eSentire uncovered a chilling glimpse into the dangerous world of cybercrime: a post on a Russian-language hacker forum from a disgruntled client who appears to have placed a $200,000 bounty on badbullzvenom for allegedly stealing $1 million.

The three cyber gangs mentioned in the eSentire report – FIN6, the Cobalt Group and Evilnum – have collectively caused financial losses over US$1.5 billion, according to the company.

“The significance (of our investigation) is that this process is repeatable,” said renowned cybersecurity expert Joe Stewart, who joined eSentire earlier this year as the company's Principal Security Researcher. “We’re going to be able to do this for more and more threat actors because of all this information that’s available to us now.”

Through a 16-month investigation of shadowy web forums, leaked user data and decade-old social media clues, eSentire’s Threat Response Unit pieced together the real identity of one of the people associated with the “malware as a service” known as Golden Chickens.

In one recent attack campaign, hackers posed as job applicants to fool corporate hiring managers into downloading phony resumes containing a component of the Golden Chickens malware. The tool, called “more_eggs,” was designed to steal valuable credentials such as usernames and passwords for corporate bank accounts, email accounts and IT administrator accounts.

In an interview with Tech News, Stewart and eSentire colleague Keegan Keplinger said they worked backward from the most recent phishing campaigns, comparing telltale signs and clues to leaked data from hacker forums, taking note of user names and tracing links back to a hacker’s earliest malware “scripts” and social media activity.

“A lot of the hacker forums that this user was on are no longer around, and so it’s been kind of challenging to try and dig out these pieces from what’s remaining,” Stewart said. “It's a little bit like archaeology: there’s just bits and shards that we’re able to dig up, and we’re trying to piece together this picture of this whole operation of how these people interacted and what their relationships are.”

Although experienced hackers are skilled at disguising their identities and hiding online movements, Stewart said they often make mistakes when they’re first learning the trade.  

“When these guys start out, they’re usually pretty young and they get into this game and they don’t know much,” he said. “They grow out of that, get better over time. But the thing is, unless they’ve been very careful to go back and delete everything that they’ve ever posted, there’s always this trail of information.”

If following that trail sounds easy, it’s not. It takes skill, experience and investigative instincts to put the clues together. And because a lot of the trails and clues are deleted or programmed to vanish, cyber sleuths must work quickly.

“It’s like trying to find a piece of hay in a haystack that’s on fire because it’s constantly disappearing from the internet,” Stewart said. “You have to move as quickly as you can to capture all of this data.”

Even though he has been involved in many high-profile cybersecurity cases over the years, Stewart said he and his eSentire colleagues learned a lot from their latest investigation.  

“This is just such a treasure trove for us researchers because now we can take an actor that’s doing something really serious and bad on the internet today, we can rewind and go back in history and see not only how did they start out, but what mistakes did they make back in those times when they weren’t being as careful with their OpSec (operational security),” he said.

In its report, eSentire said it continues to see updates being made to the Golden Chickens source code. And the discovery of a Golden Chickens attack campaign in July suggests that at least one threat actor is still developing the malware and selling it to cybercriminals. 

“We expect to see further targeted attacks, leveraging this malware, being launched against financial institutions and other organizations in the foreseeable future,” the report states.

eSentire has posted its report on its website, along with tips about protecting yourself and your company from cyberattacks.