Threat Research

Genesis Market No Longer Feeds The Evil Cookie Monster

Securonix

Genesis Market, a major underground marketplace for stolen credentials, browser fingerprints, and cookies, was disrupted by a multinational law enforcement operation spanning 17 countries, leading to takedown notices and arrests or contacts with users. The post-takedown analysis details how Genesis Market operated, the malware families and tools it leveraged (including a specialized browser, Genesium), and the sophisticated multi-stage infection chain used to harvest data and facilitate account takeovers. hashtags: #GenesisMarket #DanaBot

Keypoints

  • Global law enforcement disrupted Genesis Market in a coordinated operation across 17 countries, with takedown splash screens and potential arrests or interviews for users.
  • Genesis Market sold credentials, browser fingerprints, and cookies, positioning itself as a one-stop shop for account takeovers and MFA bypass, with an invitation-only registration and a proprietary Genesium browser/plugin.
  • Criminals could impersonate victims by loading stolen fingerprints and cookies in their own browser or in the Genesium browser, enabling continued identification and MFA bypass.
  • The marketplace stored and organized data from many victims across numerous sectors (streaming, web shops, banks, corporate logins) and charged different prices for bots by country and volume.
  • Genesis Market used a multi-stage malware chain (including setup.exe, DLL dropper yvibiajwi.dll, and process hollowing) to exfiltrate data and ultimately deploy commodity malware such as DanaBot; a Chrome extension was used to steal cookies, history, and browser data.
  • MITRE-style analysis shows a wide range of techniques, including user execution, browser extensions, process hollowing, cookie theft, system information discovery, sandbox evasion, screen capture, web protocol usage, proxy usage, and Ingress Tool Transfer.
  • Remediation guidance includes CheckYourHack, antivirus updates, password changes, MFA hardening, and organizational best practices for IAM, EDR, and web filtering to prevent credential theft and browser-based data exfiltration.

MITRE Techniques

  • [T1204.002] User Execution: Malicious File – The initial infection vector involved a setup.exe delivered via an Inno Setup installer. Quote: ‘the file is indeed a setup. More precisely, it is an Inno Setup instance.’
  • [T1059.007] Command and Scripting Interpreter: JavaScript – The final stage involves a malicious Chrome extension and associated JavaScript files. Quote: ‘Malicious Chrome extension and associated JavaScript Files.’
  • [T1176] Browser Extensions – Genesis Market used a specialized browser/plug-in (Genesium) to inject stolen artifacts. Quote: ‘a unique specialized browser and plugin, called Genesium, that allowed for an easy injection of the stolen artifacts.’
  • [T1055.012] Process Injection: Process Hollowing – The shellcode uses process hollowing to inject a payload into a target process. Quote: ‘process hollowing, in the process specified at the end of the shellcode.’
  • [T1539] Steal Web Session Cookie – The malware collects browser cookies to maintain sessions and impersonate victims. Quote: ‘Gets the browser’s cookies.’
  • [T1082] System Information Discovery – The malware gathers victim system information (browser, OS) for targeting. Quote: ‘information about the victim’s browser and operating system.’
  • [T1497.002] Virtualization/Sandbox Evasion: User Activity Based Checks – The analysis notes sandbox/sandbox evasion techniques via user activity checks. Quote: ‘Sandbox/virtualization evasion: User Activity Based Checks.’
  • [T1113] Screen Capture – The malware captures screenshots of the current tab as part of data collection. Quote: ‘Screenshots of the current tab.’
  • [T1071.001] Web Protocols – C2 communications leverage web protocols from a browser context. Quote: ‘Application Layer Protocol: Web Protocols.’
  • [T1568] Dynamic Resolution – C2 domain resolution involves dynamic address construction and resolution. Quote: ‘Dynamic Resolution.’
  • [T1102.001] Web Service: Dead Drop Resolver – The malware uses web services to resolve a dead drop/C2 mechanism. Quote: ‘Web Service: Dead Drop Resolver.’
  • [T1090.002] Proxy: External Proxy – The malware can route traffic via an external proxy or via the victim’s machine as a proxy. Quote: ‘by using a VPN service or by using the victim’s machine as a proxy.’
  • [T1105] Ingress Tool Transfer – The malware downloads and executes additional binaries from the C2 server (don-dns[.]com). Quote: ‘downloads and executes another binary from the “don-dns[.]com” command and control server.’

Indicators of Compromise

  • [IP address] Context – 142.11.244.14, 104.234.119.29, and 104.234.10.89
  • [Domain] Context – you-rabbit.com, don-dns.com
  • [BTC address] Context – bc1qtms60m4fxhp5v229kfxwd3xruu48c4a0tqwafu, 1C56HRwPBaatfeUPEYZUCH4h53CoDczGyF
  • [MD5] Context – fb67f006c56ab5f511be9a7b14787396fc17f587188e7da05dfdec4ebf28f924
  • [SHA256] Context – F01F9D74E48492BF5DE50CB4F6DF21B9F7120F4DB4CDE91FA761A0A8BD0EA524
  • [URL] Context – https://you-rabbit.com/api/machine/commands?uuid={uuid}, https://you-rabbit.com/api/machine/set-command

Read more: https://www.trellix.com/en-us/about/newsroom/stories/research/genesis-market-no-longer-feeds-the-evil-cookie-monster.html