Trellix has a good synopsis of the supply side of Genesis Market, in which various vendors or users of infostealer malware agree to sell the service a continuous feed of freshly stolen passwords, authentication cookies and fingerprints from compromised systems in their botnets.
See subsection "Malware Linked to Genesis Market" https://www.trellix.com/en-us/about/newsroom/stories/research/genesis-market-no-longer-feeds-the-evil-cookie-monster.html
"Over the years, Genesis Market has worked with a large variety of malware families to infect victims, where their info stealing scripts were used to steal information, which was used to populate the Genesis Market store. It comes as no surprise that the malware families linked to Genesis Market belong to the usual suspects of common info-stealers, like AZORult, Raccoon, Redline and DanaBot. In February 2023, Genesis Market started to actively recruit sellers. We believe with a moderate level of confidence that this was done to keep up with the growing demand of their users."
"Based on our own information and information provided by law enforcement, it appears Genesis Market dropped and executed their own set of JavaScript (JS) scripts on the infected machines that were provided to them. This set of JS scripts were designed to grab all the relevant information from the victim’s machine in a structured way, ensuring the data quality across all the bots they were offering via their marketplace."
BrianKrebs /
npub1rf…5t9xk
2023-04-05 14:51:18
Author Public Key
npub1rfdvtvmesnz7x7s3hjg5q2dgrup9xfh209gvj36angljrfy5edtq25t9xkPublished at
2023-04-05 14:51:18Event JSON
{
"id": "848caab28e663f997afa65bc339de406d0228f01d8963445d6b2773cdcc6ab38",
"pubkey": "1a5ac5b37984c5e37a11bc914029a81f025326ea7950c9475d9a3f21a494cb56",
"created_at": 1680706278,
"kind": 1,
"tags": [
[
"mostr",
"https://infosec.exchange/users/briankrebs/statuses/110146766655556080"
]
],
"content": "Trellix has a good synopsis of the supply side of Genesis Market, in which various vendors or users of infostealer malware agree to sell the service a continuous feed of freshly stolen passwords, authentication cookies and fingerprints from compromised systems in their botnets. \n\nSee subsection \"Malware Linked to Genesis Market\" https://www.trellix.com/en-us/about/newsroom/stories/research/genesis-market-no-longer-feeds-the-evil-cookie-monster.html\n\n\"Over the years, Genesis Market has worked with a large variety of malware families to infect victims, where their info stealing scripts were used to steal information, which was used to populate the Genesis Market store. It comes as no surprise that the malware families linked to Genesis Market belong to the usual suspects of common info-stealers, like AZORult, Raccoon, Redline and DanaBot. In February 2023, Genesis Market started to actively recruit sellers. We believe with a moderate level of confidence that this was done to keep up with the growing demand of their users.\"\n\n\"Based on our own information and information provided by law enforcement, it appears Genesis Market dropped and executed their own set of JavaScript (JS) scripts on the infected machines that were provided to them. This set of JS scripts were designed to grab all the relevant information from the victim’s machine in a structured way, ensuring the data quality across all the bots they were offering via their marketplace.\"",
"sig": "20665498d1f020d43b88851ddc2204f9e61e8d93727d188cf8ec8ae82fa1980c4a7352085317df8128e4eb2279580e6155e16adc780a4badb264d3e9895a6e7e"
}