Threat Research

Attack Signals Possible Return of Genesis Market, Abuses Node.js, and EV Code Signing

Securonix

Trend Micro’s Managed XDR observed Genesis Market–style techniques returning, leveraging Node.js as a backdoor platform, EV code signing for defense evasion, and Google Colab as potential search-engine–optimized download sites. The attack chain involves a loader packed with Inno Setup, a second-stage Chrome extension that exfiltrates browser data, and Lu0Bot payloads, with possible alternate svchost masquerades and Zoom/Colab initial access vectors. #GenesisMarket #Lu0Bot #Nodejs #EVCodeSigning #GoogleColab #ChromeExtension #Zoom

Keypoints

  • Trend Micro observed Genesis Market–style techniques resurfacing, including EV code signing and download-site infrastructure, possibly reusing Genesis Market’s methods.
  • The attack chain centers on a loader packed with Inno Setup, which injects into explorer.exe and fetches payloads from C2 before proceeding to stage two.
  • The second stage delivers a malicious Google Chrome extension that harvests browser data and credentials, with shortcuts and a PowerShell installer tied to the extension.
  • The second payload involves a legitimate but old Node.js module signed with an EV certificate (Lu0Bot), launched via a backdoor that executes numerous OS commands.
  • EV code signing certificates were used to evade detection, with revoked certs and questions about how the attackers gained access to the private keys.
  • Initial access candidates include Zoom–driven file downloads and SEO-friendly Google Colab sites that redirect to malicious pages or installers.

MITRE Techniques

  • [T1204.002] User Execution – Malicious File – The file is downloaded via a browser and executed by the user. “The file is executed by the user”
  • [T1027] Obfuscated/Compressed Files and Information – The loader was packed using Inno Setup, a free installer for Windows. “packed using Inno Setup, a free installer for Windows”
  • [T1059.001] PowerShell – The PowerShell script used to install the Chrome extension. “The PowerShell script used to install the Chrome extension”
  • [T1055] Process Injection – The loader creates an explorer.exe process injected with malicious code. “the loader…inject with malicious code”
  • [T1112] Modify Registry – The malware adds Run keys to start on boot. “reg.exe add HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun …”
  • [T1116] Code Signing – Extended Validation (EV) code signing certificates used to sign loaders. “EV code signing certificates mandate hard token specifications…”
  • [T1105] Ingress Tool Transfer – Payloads retrieved from the C&C server. “retrieve the payloads from the command-and-control (C&C)”
  • [T1059.005] Windows Command Shell – The malware executes commands via command-line tools (examples include cmd.exe and others listed). “cmd.exe /c dir C:”
  • [T1082] System Information Discovery – Commands like ipconfig and netstat are used to gather system information. “ipconfig.exe /all” “netstat.exe -ano”
  • [T1057] Process Discovery – Command lists such as tasklist /fo csv /nh are used to enumerate processes. “tasklist /fo csv /nh”
  • [T1047] Windows Management Instrumentation – The dropped payload uses wmic to enumerate processes. “wmic process get …”
  • [T1036] Masquerading – The malware masquerades as legitimate services/file names (e.g., svchost). “masquerading as a svchost file”
  • [T1555.003] Credentials from Web Browsers – The Chrome extension shares sensitive browser data and credentials. “shares sensitive information from the browser—including user credentials”

Indicators of Compromise

  • [File Hash] 3364dd410527f6fc2c2615aa906454116462bf96 — microsoft_barcode_control_16.0_download.exe (loader)
  • [File Hash] 506accb774d2a2be4b0ee3bdd3c549f09684ab9b — SutiLauncher.exe (second-stage launcher)
  • [File Hash] e3887b1eddbdd9d4e5b042a85909b69919204570 — SutiLauncher.dll (malicious routines)
  • [File Name] microsoft_barcode_control_16.0_download.exe — downloaded and executed as first-stage loader
  • [File Name] SutiLauncher.exe / SutiLauncher.dll — loader and DLL with malicious functionality
  • [URL] https://iplogger[.]com/1uPSK4 — used by SutiLauncher.dll to check connectivity
  • [URL] https://sito-company[.]com/launcher/auth?login={login}&pass={pass} — contacted by SutiLauncher.dll
  • [URL] https://complete-s[.]monster/upd.php — pulls encrypted shellcode to memory
  • [IP] 91.212.166.16:443 — C2 IP associated with information-stealing malware
  • [IP] 91.103.252.74:80 — C2 IP previously associated with StealC and Vidar
  • [Domain/URL] iplogger[.]com, complete-s[.]monster, and Colab SEO sites used to host or redirect to malicious payloads

Read more: https://www.trendmicro.com/en_us/research/23/k/attack-signals-possible-return-of-genesis-market.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint