Genesis hacker marketplace taken down by law enforcement
Genesis, an infamous hacker marketplace, was brought down by a 17-country multinational law enforcement operation. It was discovered that the marketplace was selling access to millions of victim PCs obtained by the DanaBot infostealer and other malware.
Trellix, a cybersecurity firm that participated in the takedown, discovered that Genesis’ spyware offered access to browser fingerprints, cookies, autofill form data, and other credentials.
“The disruption of Genesis Market is yet another successful takedown that proves that public-private partnerships are critical in fighting cybercrime,” says John Fokker, head of threat intelligence at the Trellix Advanced Research Center in Amsterdam. We have been following the market for many years and are delighted to have played a role in the demise of this renowned market.”
Although law enforcement officials reported that 1.5 million malware bots had been connected to the marketplace, Trellix was only able to track 450,000 of them since they only had access to advertising data and not the whole historical database. Trellix discovered that the bots investigated had real-time connections to victim workstations and were the product of infections that were deliberately designed in stages.
According to a Europol document, the price per bot on the site ranged from $0.70 to several hundred dollars, depending on the volume and kind of the stolen data.
The worldwide operation was directed by the FBI and the Dutch National Police, with a command post established at Europol’s headquarters in The Hague, Netherlands. There were 119 arrests, 208 property searches, and 97 “knock-and-talk” measures as a result of it. The probe, called “Operation Cookie Monster,” involved 45 FBI field offices, according to the US Justice Department.
Based on a forensic timestamp given by law enforcement, Trellix identified a “setup.exe” file as the original infection vector. This was a multistage executable file that had its size inflated (99.3%) to 440MB through null padding, a method intended to circumvent cybersecurity sandboxes. It was discovered to be a legitimate Inno Setup, a harmless software installation file exploited by Genesis to introduce malicious code.
Second, the executable would place a dynamic link library (DLL) file, “yvibiajwi.dll,” in the target computer’s temporary folder, which is located at%temp%. To escape detection, the DLL performs routines that decrypt a 150MB buffer at the end of the malicious script binary, resulting in a portable executable (PE) file aimed at the user’s “explorer.exe,” a Windows launch process.
The third stage of the assault is to utilize the compromised machine to connect to the attacker’s command and control (C&C) server and download another malware that, according to Trellix, resembled the DanaBot family.
The sources for this piece include an article in CSOOnline.