Pulse Detail — Threat Intelligence

PULSE NAME

Attack Signals Possible Return of Genesis Market, Abuses Node.js, and EV Code Signing

WHITE AlienVault 2023-11-24 Modified: 2023-12-24

IOCs

MEDIUM VOLUME

The Trend Micro Managed XDR team encountered malicious operations that used techniques similar to the ones used by Genesis Market. The threat actor behind these operations abused Node.js to act as a platform for the backdoor, Extended Validation (EV) Code Signing for defense evasion, and possibly Google Colab to host search engine-optimized download sites.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1059 T1574 T1102 T1036 T1553 T1055 T1059.001 T1176

Indicators of Compromise (24)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	812d99a3d89b8de1b866ac960031e3df	MD5 of 6817df1da376e8f6e68fd1ad06d78f02406b6e19	2023-11-24
FileHash-MD5	da354f956ee4d8d0bb714b4bda0c57f6	MD5 of 3364dd410527f6fc2c2615aa906454116462bf96	2023-11-24
FileHash-SHA1	3364dd410527f6fc2c2615aa906454116462bf96	SHA1 of cb99365bac3d168e295aa0764a1c67e1a7e582731880ad0522e9b6b3616275df	2023-11-24
FileHash-SHA1	43f11d6ec961fc82cf53e4eca97c429285026f3e	—	2023-11-24
FileHash-SHA1	506accb774d2a2be4b0ee3bdd3c549f09684ab9b	—	2023-11-24
FileHash-SHA1	6817df1da376e8f6e68fd1ad06d78f02406b6e19	—	2023-11-24
FileHash-SHA1	e3887b1eddbdd9d4e5b042a85909b69919204570	—	2023-11-24
FileHash-SHA256	9c5898b1b354b139794f10594e84e94e991971a54d179b2e9f746319ffac56aa	SHA256 of 6817df1da376e8f6e68fd1ad06d78f02406b6e19	2023-11-24
FileHash-SHA256	cb99365bac3d168e295aa0764a1c67e1a7e582731880ad0522e9b6b3616275df	SHA256 of 3364dd410527f6fc2c2615aa906454116462bf96	2023-11-24
URL	https://complete-s.monster/upd.php	—	2023-11-24
domain	complete-s.monster	—	2023-11-24
domain	sito-company.com	—	2023-11-24
URL	https://sito-company.com/launcher/auth	—	2023-11-24
FileHash-SHA256	305cb9ebdef618a626075f71fce3f4a64091e7a875a5ddff983aaeeea0f1fd41	—	2023-11-24
FileHash-SHA256	3b0defb024e41af699b5dfc424a9ff276409f447edd24af024b34941f5ab62a9	—	2023-11-24
FileHash-SHA256	d9ca193b5da85a3841ec749b67168c906e21bbaac40f0a0bff40839efb3a74c1	—	2023-11-24
FileHash-SHA256	f30b39f5e722cb106f37d1738fff7ad20fa8e312d82e246d4a6e2175685b963b	—	2023-11-24
URL	http://230927151335115.mxb.ewk48.shop/f/fvgs30927001.msi	—	2023-11-24
URL	https://fast-difficult.monster/api7.php?name=microsoft_barcode_control_16.0_download	—	2023-11-24
URL	https://ps1-local.com/obfs3ip2.bs64	—	2023-11-24
domain	fast-difficult.monster	—	2023-11-24
domain	ps1-local.com	—	2023-11-24
hostname	230927151335115.mxb.ewk48.shop	—	2023-11-24
hostname	trojan.win32.cookiemonster.jcb	—	2023-11-24

References (2)

↗ https://www.trendmicro.com/en_us/research/23/k/attack-signals-possible-return-of-genesis-market.html ↗ https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/k/attack-signals-possible-return-of-genesis-market/iocs-attack-signals-possible-return-of-genesis-market.txt