By John Fokker, Ernesto Fernández Provecho and Max Kersten · April 05, 2023
We would like to thank Steen Pedersen and Mo Cashman for their remediation advice.
On the 4th and the 5th of April, a law enforcement taskforce spanning agencies across 17 countries – including the FBI, Europol and the Dutch Police – have disrupted the infamous browser cookie market known as Genesis Market and approached hundreds of its users. Based on the information gathered, house searches would be conducted and users were either arrested or approached for a serious knock and talk conversation.
This global action set out to put a stop to the largest marketplace of its kind. As of this morning, the clear web address of Genesis Market displays the familiar takedown splash screen, as we have seen in previous cases.
Figure 1 Screenshot of takedown notice
Prior to the global takedown effort, Trellix and Computest were approached by law enforcement asking for assistance with the analysis and detection of the malicious binaries linked to Genesis Market. The primary goal was to render the market’s scripts and binaries useless. In this blog, we will explain the function and operations of Genesis Market, provide an analysis of malware samples that law enforcement shared with Trellix, and offer advice and guidance to (potential) victims.
Genesis Market
Genesis Market has been around since 2018 and is the largest underground marketplace that sells credentials, browser fingerprints, and browser cookies. Under the moniker GenesisStore, the Genesis team advertised on several (predominantly Russian speaking) underground forums.
Figure 2 Genesis Market advertisement on Exploit.
Genesis quickly became a one-stop shop for account takeovers, catering to cybercriminals looking to commit fraud and offering ways to bypass Multi-Factor-Authentication (MFA).
So, how is Genesis Market being used?
A cybercriminal can successfully fake the identity of the victim by loading the purchased browser fingerprints and cookies in their own browser, or the special browser built by Genesis market called Genesium. The stolen details are then used in combination with a VPN service or by using the victim’s machine as a proxy. This allows the criminal to assume the identity of the victim, and therefore act as if they are the victim. Services often use cookies and fingerprints for continued identification, even after an initial MFA authentication. Cybercriminals exploit the trusted status of the stolen details.
The lifespan of a cookie determines how long it is valid. Once expired, the cookie is invalidated, and the service will require the user to log-in again. The security depends on three factors: a password, browser fingerprint, and someone to whom the previous two factors belong. While the first two can be stolen, the latter is bound to a person. The idea is that the password is only known to the account owner, who logs in via the web browser with a specific fingerprint. While the cookie (generated upon logging in with the correct password) and the fingerprint are verified, this is typically is done by the person whose account is used. When dealing with stolen cookies and fingerprints, an actor can reuse the session and impersonate the victim.
To illustrate this with an analogy: assume you want to go to a newly released action movie in the cinema, which is restricted to those under the age of 16. Alas, you are 12 years old, and cannot enter the venue since IDs are checked. The ID, along with your physical traits, are the cookie and the fingerprint. If you were to climb on a classmate’s shoulders and hide under a trench coat while using a stolen ID, it’s possible that you can enter the venue, as the cinema might see you as eligible, based on the stolen ID (the cookie) and your appearance (the fingerprint).
While underground marketplaces that sell stolen credentials aren’t a new thing, Genesis Market was one of the first that focused on fingerprints and browser cookies to enable account takeovers despite growing MFA adoption.
Genesis Market shop overview
Genesis market also offered its users a unique specialized browser and plugin, called Genesium, that allowed for an easy injection of the stolen artifacts, making account takeover child’s play for cybercriminals. The market was an invitation only place which required referral from a current member to register. It is interesting to note is that most messages the Trellix Advanced Research Center found mentioning Genesis Market were from individuals asking for a referral, often prepared to pay money for said referral. When we examined the marketplace, we observed more than 450K listed bots (or infected machines). The official Europol announcement mentions a number of 1.5 million bots, this number differs from what we observed since we could only see the advertised data, not the full database including historic numbers. As you can see in the screenshot below, Genesis neatly organizes the different accounts and services it obtained from every victim, ranging from streaming services, web shops, and bank details, to corporate logins. Prices of bots varied per country and the number of available fingerprints.
Figure 3 Genesis Market Bot overview
The marketplace constantly updated the list of bots from numerous countries across the globe, as seen in the screenshot below.
Figure 4 Infection stats per country
During our research, we found the Genesium browser and plugin on VirusTotal, uploaded by one or more unknown entities. This shows the tools were used in the wild, which gives researchers access to the files to create detection rules. Nevertheless, given the uniqueness of the browser and how it is designed to facilitate cybercrime, we highly discourage any use of the browser and plugin.
Figure 5 The offering of the proprietary Genesium Browser and Plugin.
Telemetry on provided Malicious Files
Based on the malicious binaries and scripts provided by law enforcement we gathered the following global detection amongst our sensors. Please note that Genesis market was mostly targeted at infecting consumers however, given the detections across the Trellix network we do observe malicious detections across our enterprise sensors.
Figure 6 Global detections of Genesis Market related malware in Trellix ATLAS
Analysis
Over the years, Genesis Market has worked with a large variety of malware families to infect victims, where their info stealing scripts were used to steal information, which was used to populate the Genesis Market store. It comes as no surprise that the malware families linked to Genesis Market belong to the usual suspects of common info-stealers, like AZORult, Raccoon, Redline and DanaBot. In February 2023, Genesis Market started to actively recruit sellers. We believe with a moderate level of confidence that this was done to keep up with the growing demand of their users.
Figure 7 Genesis Market asking for Traffic and installs.
Based on our own information and information provided by law enforcement, it appears Genesis Market dropped and executed their own set of JavaScript (JS) scripts on the infected machines that were provided to them. This set of JS scripts were designed to grab all the relevant information from the victim’s machine in a structured way, ensuring the data quality across all the bots they were offering via their marketplace.
Malware linked to Genesis Market
Trellix received a set of malicious binaries and scripts that were linked to Genesis Market from law enforcement to further analyze the files and ensure detection coverage within our product portfolio. As explained in the previous paragraph, Genesis Market has leveraged a large variety of different malware families as an initial access vector, far too many to analyze individually. These families can be categorized as commodity malware, more detailed information is available in Trellix Insights. A detailed analysis of the samples and its execution flow is given below.
Figure 8 Execution flow of the analyzed samples.
Initial Vector
Table 1 The malware’s first stage details.
Based on forensic timestamps provided by law enforcement, the “setup.exe” file seems to be the initial infection vector. The file contains multiple stages, although not all of them could be analyzed due to an unreachable download location. The diagram below shows the different stages of this sample.
The executable’s size is inflated, as 440 MB (or 99.3%) is null padding. This technique to avoid sandbox execution isn’t new, but it has been used more often lately in recent campaigns, like Emotet and Qbot.
Figure 9 Beginning of the 440 MB null bytes chunk in the setup.exe sample.
For once, the file name provided by the malicious actor was correct: the file is indeed a setup. More precisely, it is an Inno Setup instance. Inno Setup is a benign software installer and has unfortunately been abused for malicious purposes. Upon its execution, “yvibiajwi.dll” is dropped in the temporary folder of the current user, which is located at “%temp%”. Alternatively, one can use Innounp (Inno Setup Unpacker) to extract the contents of the installer.
Table 2 The malware’s second stage details
The second stage, the extracted DLL named “yvibiajwi.dll” is used to load and execute the third stage. This file contains junk code to hinder analysts.
Figure 10 Junk code found in the dropped DLL sample.
Upon executing the DLL, the exported function “Niejgosiejhgse” is called to continue the execution chain. This function will Base64 decode and decrypt, using a custom XOR algorithm, the first 3808 bytes of a 150 MB buffer placed at the end of the binary. However, to successfully decrypt the first chunk of buffer, the numeric code 768376 must be provided to generate the valid decryption key. Then, the third stage of the malware, a shellcode, will be given.
Table 3 The malware’s shellcode details.
The shellcode will decrypt the rest of the 150 MB buffer using another custom XOR algorithm, resulting in a PE file that will be injected using process hollowing, in the process specified at the end of the shellcode. If no process name is given, “svchost.exe” is used. In this case, the targeted process is “explorer.exe”.
Figure 11 Initial part of the process hollowing injection carried out by the extracted shellcode.
Table 4 The malware’s fourth stage details.
The fourth stage of malware downloads and executes another binary from the “don-dns[.]com” command and control server. However, because this domain was unavailable at the time of the analysis, no samples could be obtained. Nevertheless, thanks to other related samples, we believe that the kind of samples distributed through this domain are primarily commodity malware.
Based on the forensic telemetry provided by law enforcement, it’s likely that the commodity malware that was installed in the victim machine was a DanaBot sample, the hash of which is given below.
DanaBot sample
Table 5 DanaBot’s details.
DanaBot is a well-known malware family with the goal of stealing sensitive information from users’ systems, which will be sold afterwards.
In the provided samples we could find two samples: the initial installer and final DanaBot payload. This malware seems to be used as a foothold prior to deploying more samples.
In this blog post we won’t provide a breakdown of the DanaBot platform as it has already been publicly analyzed in great detail in multiple blogs. Instead, we will continue the analysis with the next stage, which we presume is the final stage.
Malicious Chrome extension and associated JavaScript Files
In the final stage, a Chrome extension tries to masquerade itself as the Google Drive extension. Its goal is simple: steal browser information such as cookies, browser history, (current) tab information, and more, all in a uniform format for the Genesis Market operator(s) to (automatically) use. The extension, mainly and interestingly consisting of configuration files, includes main code and email injection code, based on the exposed API of the Chromium engine. Noteworthy is the potential existence of plugins for other browsers. Porting the malware to a different Chromium-based browser would be simple, while porting the plugin to a different browser might require more work.
The initial installation of the malicious extension is done via multiple stages of PowerShell. The OperaGX, Brave, and Chrome shortcuts on the victim’s device are recreated with an additional command-line interface flag to load the malicious extension.
Configuration files
Table 6 Configuration related files of the malicious Chrome extension.
The configuration files give information about the list of permissions which the plug-in requires. These permissions will apply to all URLs that the victim will visit, some of which allow access to sensitive data, such as cookies, current opened tabs, and the browser’s history.
Moreover, the application can edit loaded webpages, and thus remove headers if desired. Headers which are related to the Content Security Policy (CSP) mechanism are removed, which allows the malware to inject code into any rendered webpage.
Source code
Table 7 Main source code files of the malicious Chrome extension.
The files listed above contain CookieGenesis in their detection name in Trellix related products, making the identification of the files a walk in the park!
First the malware gets the Command and Control (C&C) domain from the transaction information of a given Bitcoin wallet (“bc1qtms60m4fxhp5v229kfxwd3xruu48c4a0tqwafu”). The queried website, Blockchain.info, is a benign website.
Figure 12 Code snippet that performs an HTTP request to calculate the final C&C domain server.
The JSON-based response contains another BTC address in a transaction. The second address (“1C56HRwPBaatfeUPEYZUCH4h53CoDczGyF”) can be base58 decoded, after which a substring of the complete string is calculated to obtain the C&C address. Below, the decoded value is given in human-readable format.
Next, the path “/api” is added to the domain, which completes the C&C address. Then, the malware continues its initialization by obtaining information about the victim’s browser and operating system.
Figure 13 Code snippet to get system information.
A web proxy is set up using a web socket, where the server address is specified by the C&C server. The used port is 4343. Additionally, the code injections are fetched from the C&C server, essentially “arming” the malware. Lastly, it checks if there are commands from the C&C queued up.
Gets system and browser information, listed below, and retrieves from the C&C server the injections to apply to the system and the settings configuration.
- CPU
- Memory
- Display
- Storage
- Operating System
- Video card
- Browser cookies
- Supported extensions by the browser.
Gets the settings configuration, which have only two options listed below.
- grabberLinks: the links to look for being used by the user.
- reverseProxy: the IP or domain that will be used as a proxy.
Table 8 Supported commands by the malicious extension.
Figure 14 Code snippet to take a screenshot of the current tab.
The malware contains a listener that monitors the creation of specific message events related to cryptocurrency exchange functionalities to capture the information of these messages, and subsequentially exfiltrate it to the C&C server. A list of supported message types is given:
- exchange-settings
- exchange-create-account
- exchange-set-all-balances
- exchange-set-balance
- exchange-get-address
- exchange-set-withdraw
- exchange-coinbase-get-ext
Email injection code
Table 9 Email injection files of the malicious Chrome extension.
The last piece of the extension is related to code injection in web e-mail applications. The injected code is meant to lure victims into thinking that their cryptocurrency exchange account has been compromised. The way the sample performs such an attack is as follows:
- Check if the browser’s tab mail application is Gmail, Outlook or Yahoo.
- Check if the user has any messages requesting the withdrawal of funds from one of the following cryptocurrency exchanges.
- Binance
- Bybit
- OKX
- Kraken
- KuCoin
- Bitget
- Bittrex
- Modify the email to include an alert that some suspicious activity has been detected and the user must check its account.
We believe that the idea behind this attack is forcing the victim to access their cryptocurrency account and, using the previously discussed functionality, extract sensitive information.
Bitcoin wallet
The Bitcoin wallet used to get the final C&C domain (“bc1qtms60m4fxhp5v229kfxwd3xruu48c4a0tqwafu”) performed one transaction towards the Bitcoin wallet from which the C&C server is derived (“1C56HRwPBaatfeUPEYZUCH4h53CoDczGyF”). We believe that this wallet is not controlled by the attacker, it simply transferred a low amount of money (0.00056949 BTC, less than 15 USD on the 6th of February 2023) to set up the string that would be decoded to get the C&C domain.
The bc1-wallet had one incoming transaction, coming from “bc1qkr46e27y9xh367n4pgdqjw544d2nlyxgwjxwz2” (note the different addresses, even though the start is similar). This address also received funds from other accounts that can be traced back to the BTC address “bc1qnvg0hqp343eewr08uh3fl86ggk4srtfwanp4na”, which received money in a transaction (“351fe6493f9a97eb55bd6a4a678c63fcbe96edce0f09a074323ee5c95cb46cd2”) of 90 BTC from 9 towards 52 addresses. This transaction also contains an interesting Coinbase wallet (“17QyR2ixNj1AgpD5ZuXubvSJ3gPPQVcsvp”), which some researchers linked to Russian oligarchs when the Russo-Ukrainian war began. Please note, we don’t have all the underlying research documents and cannot verify the credibility of the linked research.
Figure 15 Bitcoin transaction flow that links 17QyR2ixNj1AgpD5ZuXubvSJ3gPPQVcsvp wallet with the one used by the malicious extension to get the CnC.
MITRE techniques
The MITRE ATT&CK techniques that relate to the malicious files that are discussed in this blog, are given below.
Table 10 MITRE ATT&CK tactics and techniques of the analyzed samples.
Coverage
The malicious binaries shared with Trellix by law enforcement have been added in our detection logic and have been shared with the community via VirusTotal on April 4, 2023.
Dropper-FXP!66BCDBE3305B trojan
GenericRXVL-TW!7FAFFE72F822 trojan
Packed-GEE!C176BEEC7F22 trojan
GenericRXVM-CY!C03138967D15 trojan
Danabot-encoded.a
Trojan-FUFH!AFCF223C3D9A
JS/CookieGenesis.a
JS/CookieGenesis.b
Gen:Variant.Zusy.451910
Trojan.GenericKD.65607926
Gen:Variant.Zusy.450937
Detection as a Service
Email Security
Malware Analysis
File Protect
FE_Loader_Win32_Generic_408
FE_Trojan_Raw32_Generic_78
FEC_Trojan_JS_CookieGenesis_74
FEC_Trojan_JS_ CookieGenesis_77
FEC_Trojan_JS_ CookieGenesis_78
Suspicious Process Trimmed Setup Error Activity
Table 11 Trellix malicious Genesis samples detection signatures.
Remediation advice
Global law enforcement urges consumers to check if their data was obtained and sold via Genesis Market via CheckYourHack, launched by the Dutch Police. If your email address is part of the data set, you will receive a follow-up email from the police with reporting and remediation advice.
Below, see how to best protect yourself if you are impacted:
- Update your antivirus, perform a full system scan, and remove any malware.
- Change all your passwords for online services.
- If possible, completely restore your computer to the factory default while keeping personal data intact. Otherwise clear your browser cache and cookies.
- Enable strong MFA (App, OTP, Token OTP, FIDO or PKI based) on your online services as outlined below.
- Do not store any passwords, credit card details, or other personal information in the browser.
- Do not install cracked or pirated software.
- Always check if the website that you are downloading software from is the original website of the software supplier.
Figure 16 MFA Hierarchy published by CISA
Best practices for organizations and administrators
For organizations, the below best practices should be followed for prevention and identity and access management. Note, some guidance is Trellix specific.
-
- Train users in phishing and how to spot phishing – repeat training with test phishing emails for all users – users must be alert when it comes to links and attachments.
- Be very careful with password protected archives, as they will pass through most email scanning and web proxies.
- Check file extensions: a JPG, PDF or Document might not be what it looks like based on the icon! It can be an executable which disguises itself with its icon.
- Implement web control and block access to any unknown/uncategorized websites.
- Block or report any unknown application from communication to the/from the Internet – can be done by firewall solutions (Trellix Endpoint Security (ENS))
- Implement Adaptive Threat Protection (ATP) and configure Dynamic Application Containment (DAC) for unknown processes limiting what they can do.
- Enable Exploit Prevention and enable signature for “Suspicious Double File Extension Execution” (Signature 413).
- Protect session cookies with Exploit Prevention Expert rule.
- Implement Expert rules which will trigger on any PowerShell or unknown / contained process accessing your session cookie?
- C:\Users\**\AppData\Local\Google\Chrome\User Data\Default\Network\**\*.*
- C:\Users\**\AppData\Roaming\Mozilla\Firefox\Profiles\**\*.*
- C:\Users\**\AppData\Local\Microsoft\Edge\User Data\Default\Network\**\*.*
- Implement Endpoint Detection and Response (Trellix EDR). It could detect some of the techniques identified such as malicious use of web protocols, process injection and tool transfers.
- Implement strong and deep email scanning.
- Implement strong and deep web gateway and blocking of uncategorized web-sites and have a quick and trusted procedure to add more websites if needed.
- Please apply the Identity and Access Management (IAM) best practices as outlined by CISA.
- Review your current visibility and detection capability on credential theft and privilege abuse.
- Train users in phishing and how to spot phishing – repeat training with test phishing emails for all users – users must be alert when it comes to links and attachments.
- can collect logs from various IAM and EDR systems and provides correlation to detect potential misuse and escalation.
Conclusion
The disruption of Genesis Market is yet another successful takedown, showing that criminals aren’t safe and secure while disrupting the lives of individuals and corporations on a global scale. As Trellix and our Advanced Research Center, we are proud to contribute to this international law enforcement operation and play our part. We aim to publicly inform the public with this analysis to ensure everybody’s (digital) safety, not only the safety of our customers.
Appendix A – IoCs
Hashes
Initial infection vector
fb67f006c56ab5f511be9a7b14787396fc17f587188e7da05dfdec4ebf28f924
c700c6d555983cb2af297ca854143de7f92e3ec88a975dcb4570376b75c38e34
8a9e38bcc89a0e843b1b3ee6465033715ed71ff25ba3b33fb8f97be417ffc091
00a258de9d8e2b21e444b8aa0666d498e120bca9195c64a60e3076708e111fab
22c835f2af4b2020f314cb98fcd591fdccd3b0da155e934548f6109ebabff707
6f91c7b8e6d50bc6d0b7591cdcd3b8594107cb0bbdd44c5031fd938365087f68
Danabot samples
08a33b5312b9e7a3fe0ab5f82705646df372fd0c4ed5c61a32344682ed40c08a
06c4dec4787206be38e5d6226b8a82f81270eea893cd6c8deca82e6118fdeed8
e4f5ee78cf7f8147ab5d5286f4af31dc94cfced6913f3f5f5dad8d87a8cbca7c
e956066bf3c9f18728111c112c457431bd4f2649f8d7d2049b772f55e9561dc0
531b5db554ddb65534936ba3329a68a8b127b4ef46d344317d922d4c342a29f3
Malicious Chrome extension JavaScript files
f14592245eb90d57dd5a4c8dc38009e8c662d753d7fb95edc00b65b91f30e779
accff930cc6aa6afa25b164bc35bc612ea5067b273f1c2ec66c44327e1cdbd2f
ea47a4be67a767c65838cd5382e2b59178ef6a0f5a8610645e324488f53aa2c6
65827a0e24ce36007307db3f415a97e6e9dc8bd9504b025a39ee9805f021d599
18b21e97e7b9fc3bc2a2f213f846bfd9e8e5d1df674fc5643ef32be5dc4ae5ff
380637e36765a4a2969687cf002c3a17abde1d1f460bbf85c536a36b8dd2758c
17e8fc8674d75114cc7feb84dc52e42a9e2a7377e0df6f11add850d5aece135a
bcaa8b7cbb933b2b2deedac426fd8c107f513918e1243902c3936c4009d945b6
5af7c0ad5425c6c3a631dd800dcb7e6035cebf03210433914544d330063ebe49
5cc418457bc22049b535cd99f4f3d79e8f348c84b6b88e9600546bbcfaea5878
d84cb4a6fb4d068ab1677a0a3dc1a606a46a1583e6676f2641703efec0d63baf
6c7032c4f5a90307b00dd0142fbcc6ef6c423ecdfa3ce942e2bae4386dbbdbdb
c0e554c1c620cc7200a1803b54a11ac15895a8d07be65a7772089b2b8e441537
fe84ad7571e4a518481df52242e02415de0b6cefff8f8b4f91eeee407051f7cb
0e3369b689948b9f009fe2f8eedf0ca977c53ebdcf19ab5da656c329e3a2e394
d094428bfa619d2e0c5139491b84e4ec0fecb325f346e28f9e0bda7860dfc9ab
561f021f3b4f69705ed9e93cba53f8197cb2fd8c56c1e7fae9a622b5be4740ee
BTC address
bc1qtms60m4fxhp5v229kfxwd3xruu48c4a0tqwafu
IP addresses
142[.]11.244.14
104[.]234.119.29
104[.]234.10.89
23[.]254.253.134
Domains
you-rabbit[.]com
don-dns[.]com
URLs (notice that some variables have been included in brackets)
https://you-rabbit[.]com/api/machine/commands?uuid={uuid}
https://you-rabbit[.]com/api/machine/set-command
https://you-rabbit[.]com/api/exchange/settings
https://you-rabbit[.]com/api/exchange/create-account
https://you-rabbit[.]com/api/exchange/set-all-balances
https://you-rabbit[.]com/api/exchange/set-balance
https://you-rabbit[.]com/api/exchange/get-address?{msg_params}
https://you-rabbit[.]com/api/exchange/set-withdraw
https://you-rabbit[.]com/api/machine/set-grabber-info
https://you-rabbit[.]com/api/machine/init
https://you-rabbit[.]com/api/machine/injections?uuid={uuid}
https://you-rabbit[.]com/api/machine/settings
https://don-dns[.]com/hittest.php?a={token}&id={id}