Infamous hacker marketplace Genesis, which was taken down this week by an international law enforcement operation involving 17 countries, was selling access to millions of victim computers gained via the DanaBot infostealer and likely other malware.
Trellix, the cybersecurity firm that assisted in the takedown of the Genesis site, said that malware used by Genesis provided access to browser fingerprints, cookies, autofill form data, and other credentials.
“The disruption of Genesis Market is yet another successful takedown that proves that public-private partnerships are vital in fighting cybercrime,” said John Fokker, head of threat intelligence at the Trellix Advanced Research Center in Amsterdam. “We had been monitoring the marketplace for many years now and are proud to have been able to play a part in the takedown of this notorious market.”
A Trellix analysis could only trace 450,000 malware bots listed on the marketplace, out of the 1.5 million announced by law enforcement officials, mainly because Trellix had access only to advertised data and not the full historic database.
The bots on sale and analysed by Trellix are malware with real-time links to victim machines, and were the result of infections that were carefully crafted in stages. Among other observations, Tellix detected a final DanaBot payload.
Malware bots sold for hundreds of dollars
The price per bot on the site ranged from as little as $0.70 up to several hundred dollars, depending on the amount and nature of the stolen data, according to a Europol filing.
The international operation was led by the US Federal Bureau of Investigation (FBI) and the Dutch National Police, with a command post set up at Europol’s headquarters in The Hague, Netherlands. It resulted in 119 arrests, 208 property searches and 97 "knock-and-talk" measures. Forty-five FBI field offices worked on the investigation, the US Justice Department said in a press release announcing the takedown Wednesday.
Based on a forensic timestamp provided by law enforcement, Trellix observed a “setup.exe” file as the initial infection vector. This was a multistaged executable file whose size was inflated (99.3%) to 440MB through null padding, a trending technique used to avoid cybersecurity sandboxes. The executable was observed to be a genuine Inno Setup, a benign software installer file that was used by Genesis for malicious injection.
In the second step, the executable would drop a dynamic link library (DLL) file, “yvibiajwi.dll,” in the temporary folder of the victim computer located at %temp%.
The DLL, which includes junk code to avoid detection, executes functions that decrypt a 150MB buffer at the end of the malicious script binary, yielding a portable executable (PE) file targeted at the user’s “explorer.exe,” a Windows startup process.
The final leg of the attack is to use the compromised system to establish a connection with the command and control (CC) server used by the attacker to download another binary which, as found in the samples analysed by Trellix, resembled the DanaBot family.
Using commodity malware
As the CC domain was unavailable at the time of Trellix’s analysis, it made an assumption that the domain primarily distributes commodity malware including not only DanaBot but others, such as AZORult, Raccoon, and Redline.
An invitation-only malware site
Genesis Market had been in existence since 2018, and was an invitation-only site that required referrals from current members. It was among the first to use browser fingerprints and cookies to enable account takeovers, despite growing MFA adoption. It used the principle that for an effective MFA-resistant attack, the attacker must exploit a victim’s trusted status by accessing both their credentials and browser fingerprint.
In addition to infected bots, Genesis Market also advertised and sold a custom browser and plugin called “Genesium” on several underground forums, making it easier for hackers to effect attacks.
It is possible for hackers already in possession of Genesis bots to continue attacks as long as victims don’t refresh cookies and change compromised credentials. Genesis bots have real-time links that update passwords when victims change them. After the takedown of Genesis infrastructure, clearing browser cache and cookies, or restoring an infected computer to factory default, can invalidate the infection.
Victims still vulnerable unless remediation taken
“Victims are still vulnerable as long as they haven’t followed the remediation steps. We recommend checking if they are in the Genesis data set through the portal of the Dutch Police, which also provides remediation advice that Trellix helped formulate,” Fokker said. Data set information is available at https://www.politie.nl/en/information/checkyourhack.html.
Additionally, organisations should most importantly implement MFA and severely limit the amount of time that browser cookies can be used before they expire, Fokker added.
Using antivirus programs; regularly updating software; avoiding suspicious links, pop-ups, and dialog boxes; and using unique passwords have been advised by law enforcement as effective ways to prevent access thefts. A detailed list of remediation steps is provided by Trellix in its analysis of the Genesis bots.