Genesis Market No Longer Feeds the Evil Cookie Monster

By John Fokker, Ernesto Fernández Provecho, and Max Kersten

We would like to thank Steen Pedersen and Mo Cashman for their remediation advice.

On the 4th and the 5th of April, a law enforcement taskforce spanning agencies across 17 countries – including the FBI, Europol and the Dutch Police – have disrupted the infamous browser cookie market known as Genesis Market and approached hundreds of its users. Based on the information gathered, house searches would be conducted and users were either arrested or approached for a serious knock and talk conversation.

This global action set out to put a stop to the largest marketplace of its kind. As of this morning, the clear web address of Genesis Market displays the familiar takedown splash screen, as we have seen in previous cases.

Figure 1. Screenshot of takedown notice

Prior to the global takedown effort, Trellix and Computest were approached by law enforcement asking for assistance with the analysis and detection of the malicious binaries linked to Genesis Market. The primary goal was to render the market’s scripts and binaries useless. In this blog, we will explain the function and operations of Genesis Market, provide an analysis of malware samples that law enforcement shared with Trellix, and offer advice and guidance to (potential) victims.

Genesis Market

Genesis Market has been around since 2018 and is the largest underground marketplace that sells credentials, browser fingerprints, and browser cookies. Under the moniker GenesisStore, the Genesis team advertised on several (predominantly Russian speaking) underground forums.

Figure 2 Genesis Market advertisement on Exploit.

Genesis quickly became a one-stop shop for account takeovers, catering to cybercriminals looking to commit fraud and offering ways to bypass Multi-Factor-Authentication (MFA).

So, how is Genesis Market being used?

A cybercriminal can successfully fake the identity of the victim by loading the purchased browser fingerprints and cookies in their own browser, or the special browser built by Genesis market called Genesium. The stolen details are then used in combination with a VPN service or by using the victim’s machine as a proxy. This allows the criminal to assume the identity of the victim, and therefore act as if they are the victim. Services often use cookies and fingerprints for continued identification, even after an initial MFA authentication. Cybercriminals exploit the trusted status of the stolen details.

The lifespan of a cookie determines how long it is valid. Once expired, the cookie is invalidated, and the service will require the user to log-in again. The security depends on three factors: a password, browser fingerprint, and someone to whom the previous two factors belong. While the first two can be stolen, the latter is bound to a person. The idea is that the password is only known to the account owner, who logs in via the web browser with a specific fingerprint. While the cookie (generated upon logging in with the correct password) and the fingerprint are verified, this is typically is done by the person whose account is used. When dealing with stolen cookies and fingerprints, an actor can reuse the session and impersonate the victim.

To illustrate this with an analogy: assume you want to go to a newly released action movie in the cinema, which is restricted to those under the age of 16. Alas, you are 12 years old, and cannot enter the venue since IDs are checked. The ID, along with your physical traits, are the cookie and the fingerprint. If you were to climb on a classmate’s shoulders and hide under a trench coat while using a stolen ID, it’s possible that you can enter the venue, as the cinema might see you as eligible, based on the stolen ID (the cookie) and your appearance (the fingerprint).

While underground marketplaces that sell stolen credentials aren’t a new thing, Genesis Market was one of the first that focused on fingerprints and browser cookies to enable account takeovers despite growing MFA adoption.

Genesium browser and plugin

Genesis market also offered its users a unique specialized browser and plugin, called Genesium, that allowed for an easy injection of the stolen artifacts, making account takeover child’s play for cybercriminals. The market was an invitation only place which required referral from a current member to register. It is interesting to note is that most messages the Trellix Advanced Research Center found mentioning Genesis Market were from individuals asking for a referral, often prepared to pay money for said referral. When we examined the marketplace, we observed more than 450K listed bots (or infected machines) and law enforcement report more than 1.5 million bots in total. As you can see in the screenshot below, Genesis neatly organizes the different accounts and services it obtained from every victim, ranging from streaming services, web shops, and bank details, to corporate logins. Prices of bots varied per country and the number of available fingerprints.

Figure 3 Genesis Market Bot overview

The marketplace constantly updated the list of bots from numerous countries across the globe, as seen in the screenshot below.

Figure 4 Infection stats per country

During our research, we found the Genesium browser and plugin on VirusTotal, uploaded by one or more unknown entities. This shows the tools were used in the wild, which gives researchers access to the files to create detection rules. Nevertheless, given the uniqueness of the browser and how it is designed to facilitate cybercrime, we highly discourage any use of the browser and plugin.

Figure 5 The offering of the proprietary Genesium Browser and Plugin.

Telemetry on provided Malicious Files

Based on the malicious binaries and scripts provided by law enforcement we gathered the following global detections.

Figure 6 Global detections of Genesis Market related malware

Analysis

Over the years, Genesis Market has worked with a large variety of malware families to infect victims, where their info stealing scripts were used to steal information, which was used to populate the Genesis Market store. It comes as no surprise that the malware families linked to Genesis Market belong to the usual suspects of common info-stealers, like AZORult, Raccoon, Redline and DanaBot. In February 2023, Genesis Market started to actively recruit sellers. We believe with a moderate level of confidence that this was done to keep up with the growing demand of their users.

Figure 7 Genesis Market asking for Traffic and installs.

Based on our own information and information provided by law enforcement, it appears Genesis Market dropped and executed their own set of JavaScript (JS) scripts on the infected machines that were provided to them. This set of JS scripts were designed to grab all the relevant information from the victim’s machine in a structured way, ensuring the data quality across all the bots they were offering via their marketplace.

Malware linked to Genesis Market

Trellix received a set of malicious binaries and scripts that were linked to Genesis Market from law enforcement to further analyze the files and ensure detection coverage within our product portfolio. As explained in the previous paragraph, Genesis Market has leveraged a large variety of different malware families as an initial access vector, far too many to analyze individually. These families can be categorized as commodity malware, more detailed information is available in Trellix Insights. A detailed analysis of the samples and its execution flow is given below.

Figure 8 Execution flow of the analyzed samples.

Initial vector

Table 1 The malware's first stage details

Based on forensic timestamps provided by law enforcement, the “setup.exe” file seems to be the initial infection vector. The file contains multiple stages, although not all of them could be analyzed due to an unreachable download location. The diagram below shows the different stages of this sample.

The executable’s size is inflated, as 440 MB (or 99.3%) is null padding. This technique to avoid sandbox execution isn’t new, but it has been used more often lately in recent campaigns, like Emotet and Qbot.

Figure 9 Beginning of the 440 MB null bytes chunk in the setup.exe sample.

For once, the file name provided by the malicious actor was correct: the file is indeed a setup. More precisely, it is an Inno Setup instance. Inno Setup is a benign software installer and has unfortunately been abused for malicious purposes. Upon its execution, “yvibiajwi.dll” is dropped in the temporary folder of the current user, which is located at “%temp%”. Alternatively, one can use Innounp (Inno Setup Unpacker) to extract the contents of the installer.

Table 2 The malware's second stage details

The second stage, the extracted DLL named “yvibiajwi.dll” is used to load and execute the third stage. This file contains junk code to hinder analysists.

Figure 10 Junk code found in the dropped DLL sample.

Upon executing the DLL, the exported function “Niejgosiejhgse” is called to continue the execution chain. This function will Base64 decode and decrypt, using a custom XOR algorithm, the first 3808 bytes of a 150 MB buffer placed at the end of the binary. However, to successfully decrypt the first chunk of buffer, the numeric code 768376 must be provided to generate the valid decryption key. Then, the third stage of the malware, a shellcode, will be given.

Table 3 The malware's shellcode details.

The shellcode will decrypt the rest of the 150 MB buffer using another custom XOR algorithm, resulting in a PE file that will be injected using process hollowing, in the process specified at the end of the shellcode. If no process name is given, “svchost.exe” is used. In this case, the targeted process is “explorer.exe”.

Figure 11 Initial part of the process hollowing injection carried out by the extracted shellcode.

Table 4 The malware's fourth stage details

The fourth stage of malware downloads and executes another binary from the “don-dns[.]com” command and control server. However, because this domain was unavailable at the time of the analysis, no samples could be obtained. Nevertheless, thanks to other related samples, we believe that the kind of samples distributed through this domain are primarily commodity malware.

Based on the forensic telemetry provided by law enforcement, it’s likely that the commodity malware that was installed in the victim machine was a DanaBot sample, the hash of which is given below.

DanaBot sample

Table 5 DanaBot's details

DanaBot is a well-known malware family with the goal of stealing sensitive information from users’ systems, which will be sold afterwards.

In the provided samples we could find two samples: the initial installer and final DanaBot payload. This malware seems to be used as a foothold prior to deploying more samples.

In this blog post we won’t provide a breakdown of the DanaBot platform as it has already been publicly analyzed in great detail in multiple blogs. Instead, we will continue the analysis with the next stage, which we presume is the final stage.

Malicious Chrome extension and associated JavaScript Files

In the final stage, a Chrome extension tries to masquerade itself as the Google Drive extension. Its goal is simple: steal browser information such as cookies, browser history, (current) tab information, and more, all in a uniform format for the Genesis Market operator(s) to (automatically) use. The extension, mainly and interestingly consisting of configuration files, includes main code and email injection code, based on the exposed API of the Chromium engine. Noteworthy is the potential existence of plugins for other browsers. Porting the malware to a different Chromium-based browser would be simple, while porting the plugin to a different browser might require more work.

The initial installation of the malicious extension is done via multiple stages of PowerShell. The OperaGX, Brave, and Chrome shortcuts on the victim’s device are recreated with an additional command-line interface flag to load the malicious extension.

Configuration files

Table 4 Configuration related files of the malicious Chrome extension.

The configuration files give information about the list of permissions which the plug-in requires. These permissions will apply to all URLs that the victim will visit, some of which allow access to sensitive data, such as cookies, current opened tabs, and the browser’s history.

Moreover, the application can edit loaded webpages, and thus remove headers if desired. Headers which are related to the Content Security Policy (CSP) mechanism are removed, which allows the malware to inject code into any rendered webpage.

Source code

Table 5 Main source code files of the malicious Chrome extension.

The files listed above contain CookieGenesis in their detection name in Trellix related products, making the identification of the files a walk in the park!

First the malware gets the Command and Control (C&C) domain from the transaction information of a given Bitcoin wallet (“bc1qtms60m4fxhp5v229kfxwd3xruu48c4a0tqwafu”). The queried website, Blockchain.info, is a benign website.

Figure 12 Code snippet that performs an HTTP request to calculate the final C&C domain server.

The JSON-based response contains another BTC address in a transaction. The second address (“1C56HRwPBaatfeUPEYZUCH4h53CoDczGyF”) can be base58 decoded, after which a substring of the complete string is calculated to obtain the C&C address. Below, the decoded value is given in human-readable format.

Next, the path "/api" is added to the domain, which completes the C&C address. Then, the malware continues its initialization by obtaining information about the victim’s browser and operating system.

Figure 13 Code snippet to get system information.

A web proxy is set up using a web socket, where the server address is specified by the C&C server. The used port is 4343. Additionally, the code injections are fetched from the C&C server, essentially “arming” the malware. Lastly, it checks if there are commands from the C&C queued up.

Table 6 Supported commands by the malicious extension.

Figure 14 Code snippet to take a screenshot of the current tab.

The malware contains a listener that monitors the creation of specific message events related to cryptocurrency exchange functionalities to capture the information of these messages, and subsequentially exfiltrate it to the C&C server. A list of supported message types is given:

· exchange-settings

· exchange-create-account

· exchange-set-all-balances

· exchange-set-balance

· exchange-get-address

· exchange-set-withdraw

· exchange-coinbase-get-ext

Email injection code

Table 7 Email injection files of the malicious Chrome extension.

The last piece of the extension is related to code injection in web e-mail applications. The injected code is meant to lure victims into thinking that their cryptocurrency exchange account has been compromised. The way the sample performs such an attack is as follows:

1. Check if the browser’s tab mail application is Gmail, Outlook or Yahoo.
2. Check if the user has any messages requesting the withdrawal of funds from one of the following cryptocurrency exchanges.

· Binance

· Bybit

· OKX

· Kraken

· KuCoin

· Bitget

· Bittrex

3. Modify the email to include an alert that some suspicious activity has been detected and the user must check its account.

We believe that the idea behind this attack is forcing the victim to access their cryptocurrency account and, using the previously discussed functionality, extract sensitive information.

Bitcoin wallet

The Bitcoin wallet used to get the final C&C domain (“bc1qtms60m4fxhp5v229kfxwd3xruu48c4a0tqwafu”) performed one transaction towards the Bitcoin wallet from which the C&C server is derived (“1C56HRwPBaatfeUPEYZUCH4h53CoDczGyF”). We believe that this wallet is not controlled by the attacker, it simply transferred a low amount of money (0.00056949 BTC, less than 15 USD on the 6th of February 2023) to set up the string that would be decoded to get the C&C domain.

The bc1-wallet had one incoming transaction, coming from “bc1qkr46e27y9xh367n4pgdqjw544d2nlyxgwjxwz2” (note the different addresses, even though the start is similar). This address also received funds from other accounts that can be traced back to the BTC address "bc1qnvg0hqp343eewr08uh3fl86ggk4srtfwanp4na", which received money in a transaction (“351fe6493f9a97eb55bd6a4a678c63fcbe96edce0f09a074323ee5c95cb46cd2”) of 90 BTC from 9 towards 52 addresses. This transaction also contains an interesting Coinbase wallet (“17QyR2ixNj1AgpD5ZuXubvSJ3gPPQVcsvp”), which so