The recent activities indicating the possible return of Genesis Market, a known website for facilitating fraud, involve the abuse of Node.js and Extended Validation (EV) Code Signing. These techniques were identified by the Trend Micro Managed XDR team, who observed malicious operations that mirrored the strategies previously employed by Genesis Market.
Key aspects of this attack include:
Use of Node.js: The attackers have been exploiting Node.js, a popular JavaScript runtime, using it as a platform to install backdoors on the infected systems. This abuse of Node.js represents a strategic approach to gaining and maintaining access within compromised environments.
Legitimate Code Signing Certificates: A critical part of the infection chain involved the installation of an old but legitimate version of Node.js that was bundled with a valid and legitimate code signing certificate. This approach is particularly insidious because it does not rely on the victims using outdated software; rather, the threat actor actively installs the vulnerable module, making it harder for users to detect the intrusion.
EV Code Signing for Defense Evasion: Extended Validation Code Signing is being used by threat actors for defense evasion. This technique leverages the trust granted to software that has been signed with an EV certificate to bypass security measures, allowing the malware to operate under the guise of legitimacy.
Possible Use of Google Colab: The threat actor behind these operations may also be using Google Colab to host search engine-optimized download sites. This tactic would allow them to distribute malicious payloads more effectively by leveraging Google's powerful search engine capabilities to reach a wider audience.
Genesis Market's Tactics: The similarities in techniques with those used by Genesis Market suggest a sophisticated level of operational capability and an understanding of effective cyber fraud methodologies.
This development underscores the ongoing evolution of cyber threats and the sophistication of tactics used by cybercriminals. The use of legitimate tools and platforms for malicious purposes highlights the need for heightened vigilance and advanced cybersecurity measures
IoC
HOSTNAME
- trojan.win32.cookiemonster.jcb
- 230927151335115.mxb.ewk48.shop
- ps1-local.com
- fast-difficult.monster
- https://ps1-local.com/obfs3ip2.bs64
- https://fast-difficult.monster/api7.php?name=microsoft_barcode_control_16.0_download
- http://230927151335115.mxb.ewk48.shop/f/fvgs30927001.msi
SHA256
- f30b39f5e722cb106f37d1738fff7ad20fa8e312d82e246d4a6e2175685b963b
- d9ca193b5da85a3841ec749b67168c906e21bbaac40f0a0bff40839efb3a74c1
- 3b0defb024e41af699b5dfc424a9ff276409f447edd24af024b34941f5ab62a9
REFERENCES
- https://www.trendmicro.com/en_us/research/23/k/attack-signals-possible-return-of-genesis-market.html#:~:text=Malware%20Attack%20Signals%20Possible%20Return,taken%20down%20in%20April%202023
- https://www.threatshub.org/blog/attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing/
- https://www.securitricks.com/attack-signals-possible-return-of-genesis-market-abuses-node-js-and-ev-code-signing-friday-november-24-2023/
- https://otx.alienvault.com/pulse/65609160cddfd2987cac2ef3
TAGS
genesis market, lu0bot, malicious chrome extension
No comments:
Post a Comment