Cybereason GSOC has identified a malware campaign involving Lummastealer that drops a malicious browser extension linked to the Genesis Market, a criminal marketplace selling stolen credentials. This extension targets multiple browsers to collect extensive user data which is then exfiltrated to attacker-controlled servers. #Lummastealer #GenesisMarket
Keypoints
- Lummastealer distributes a malicious browser extension that serves as the final payload connected to the Genesis Market infrastructure.
- The Genesis Market extension targets Chrome, Opera, Brave, and Microsoft Edge browsers to harvest sensitive browser data including cookies, clipboard, history, open tabs, emails, crypto wallets, and payment information.
- The infection spreads through phishing and social engineering tactics using a zip installer containing MSI and executable files that deploy LummaStealer via DLL side-loading or hollowing.
- The downloaded PowerShell script installs the browser extension, modifies browser settings for persistence, and deploys multiple JavaScript payloads for data collection and command execution.
- Data exfiltration occurs through command and control servers resolved via blockchain transactions, reverse proxies, and WebSocket connections.
- Genesis Market has been dismantled previously by law enforcement, but this campaign demonstrates its ongoing presence through new malware delivery mechanisms.
- Cybereason recommends forensic imaging, data inventorying, firewall blocking of known C2 domains, and user awareness of related social engineering tactics.
MITRE Techniques
- [T1566] Phishing – Initial access is gained through phishing or social engineering that tricks victims into downloading malicious payloads.
- [T1204.002] User Execution: Malicious File – Victims execute malicious MSI installers delivered via zip files.
- [T1059.007] Command and Scripting Interpreter: JavaScript – JavaScript scripts run in the browser extension to harvest data and communicate with the attacker.
- [T1176] Browser Extension – The malware installs a malicious browser extension to maintain persistence and collect information.
- [T1055.012] Process Injection: Process Hollowing – LummaStealer uses process hollowing to load malicious DLLs into legitimate processes.
- [T1027.013] Encrypted/Encoded File – The third-stage payload is delivered encoded in Base64 and decoded at runtime.
- [T1539] Steal Web Session Cookie – The extension collects cookies to facilitate session hijacking.
- [T1082] System Information Discovery – The malware gathers system-related information including OS, hardware, and installed extensions.
- [T1113] Screen Capture – The extension periodically captures screenshots of the active browser tabs.
- [T1071.001] Application Layer Protocol: Web Protocols – Communication with C2 servers happens over web-based protocols using WebSocket and HTTP requests.
Indicators of Compromise
- [SHA1 Hash] Malicious files involved in deployment – 95d2980786bc36fec50733b9843fde9eab081918 (obs-ffmpeg-mux.exe), c07e49c362f0c21513507726994a9bd040c0d4eb (appv7.2.8.msi), and 0cbca4dbbdcb61e8336753bdabda33b56c51c52e (v6.20.0installerx64.zip).
- [IP Addresses] C2 Infrastructure – 104.21.16[.]110 and 172.67.210[.]204 resolving to hit-kick[.]com, 104.21.53[.]8 resolving to sergei-esenin.com.
- [Domains] Command and Control servers – exilepolsiy[.]sbs, laddyirekyi[.]sbs, gzipdot[.]com, true-lie[.]com, and several other related domains used for C2 communication and payload delivery.
- [URLs] Payload download locations – last-blink[.]com/2709.bs64 and root-head[.]com/25082.bs64 hosting base64 encoded payloads.
Read more: https://www.cybereason.com/blog/threat-alert-genesis-market