Seized Genesis malware market’s infostealers infected 1.5 million computers

Infamous hacker marketplace Genesis, which was taken down this week by an international law enforcement operation involving 17 countries, was selling access to millions of victim computers gained via the DanaBot infostealer and likely other malware.

Trellix, the cybersecurity firm that assisted in the takedown of the Genesis site, said that malware used by Genesis provided access to browser fingerprints, cookies, autofill form data, and other credentials.

“The disruption of Genesis Market is yet another successful takedown that proves that public-private partnerships are vital in fighting cybercrime,” said John Fokker, head of threat intelligence at the Trellix Advanced Research Center in Amsterdam. “We had been monitoring the marketplace for many years now and are proud to have been able to play a part in the takedown of this notorious market.”

A Trellix analysis could only trace 450,000 malware bots listed on the marketplace, out of the 1.5 million announced by law enforcement officials, mainly because Trellix had access only to advertized data and not the full historic database.

The bots on sale and analyzed by Trellix are malware with real-time links to victim machines, and were the result of  infections that were carefully crafted in stages. Among other observations, Tellix detected a final DanaBot payload.

Malware bots sold for hundreds of dollars

The price per bot on the site ranged from as little as $0.70 up to several hundred dollars, depending on the amount and nature of the stolen data, according to a Europol filing.

The international operation was led by the US Federal Bureau of Investigation (FBI) and the Dutch National Police, with a command post set up at Europol’s headquarters in The Hague, Netherlands. It resulted in 119 arrests, 208 property searches and 97 “knock-and-talk” measures. Forty-five FBI field offices worked on the investigation — dubbed Operation Cookie Monster — the US Justice Department said in a press release announcing the takedown Wednesday.

Based on a forensic timestamp provided by law enforcement, Trellix observed a “setup.exe” file as the initial infection vector. This was a multistaged executable file whose size was inflated (99.3%) to 440MB through null padding, a trending technique used to avoid cybersecurity sandboxes. The executable was observed to be a genuine Inno Setup, a benign software installer file that was used by Genesis for malicious injection.

In the second step, the executable would drop a dynamic link library (DLL) file, “yvibiajwi.dll,” in the temporary folder of the victim computer located at %temp%.

The DLL, which includes junk code to avoid detection, executes functions that decrypt a 150MB buffer at the end of the malicious script binary, yielding a portable executable (PE) file targeted at the user’s “explorer.exe,” a Windows startup process.

The final leg of the attack is to use the compromised system to establish a connection with the command and control (C&C) server used by the attacker to download another binary which, as found in the samples analyzed by Trellix, resembled the DanaBot family.

Using commodity malware

As the C&C domain was unavailable at the time of Trellix’s analysis, it made an assumption that the domain primarily distributes commodity malware including not only DanaBot but others, such as AZORult, Raccoon, and Redline.

“The samples that we have examined that were shared by the Dutch Police belonged to the DanaBot family as well as propriety malware (javascript files) that Genesis installed in the victim’s browser to steal the valuable browser data,” Fokker said. “The other families have also been linked to Genesis Market in the past either by industry peers or from our own observations.”

In the last stage of the malware attacks, the downloaded binary (DanaBot) is executed into a malicious Chrome extension and associated JavaScript files. The Chrome extension is used to steal browser information such as cookies, browser history, tab information and more, in a uniform format.

The JavaScript files include email injection codes that use an exposed Chromium API to track user mailboxes from open Chrome tabs and access information to stage a fake emergency e-mail that induces the user to access targeted websites. The malicious Chrome extension can then monitor communications with the targeted sites — typically, cryptocurrency sites.  

An invitation-only malware site

Genesis Market had been in existence since 2018, and was an invitation-only site that  required referrals from current members.  It was among the first to use browser fingerprints and cookies to enable account takeovers, despite growing MFA adoption. It used the principle that for an effective MFA-resistant attack, the attacker must exploit a victim’s trusted status by accessing both their credentials and browser fingerprint.

In addition to infected bots, Genesis Market also advertised and sold a custom browser and plugin called “Genesium” on several underground forums, making it easier for hackers to effect attacks.

It is possible for hackers already in possession of Genesis bots to continue attacks as long as victims don’t refresh cookies and change compromised credentials. Genesis bots have real-time links that update passwords when victims change them. After the takedown of Genesis infrastructure, clearing browser cache and cookies, or restoring an infected computer to factory default, can invalidate the infection.

Victims still vulnerable unless remediation taken

“Victims are still vulnerable as long as they haven’t followed the remediation steps. We recommend checking if they are in the Genesis data set through the portal of the Dutch Police, which also provides remediation advice that Trellix helped formulate,” Fokker said. Data set information is available at https://www.politie.nl/en/information/checkyourhack.html.

Additionally, organizations should most importantly implement MFA and severely limit the amount of time that browser cookies can be used before they expire, Fokker added.

Using antivirus programs; regularly updating software; avoiding suspicious links, pop-ups, and dialog boxes; and using unique passwords have been advised by law enforcement as effective ways to prevent access thefts. A detailed list of remediation steps is provided by Trellix in its analysis of the Genesis bots.