Pulse Detail — Threat Intelligence

PULSE NAME

Attack Signals Possible Return of Genesis Market, Abuses Node.js, and EV Code Signing

WHITE AlienVault 2023-11-24 Modified: 2023-12-24

IOCs

MEDIUM VOLUME

The Trend Micro Managed XDR team encountered malicious operations that used techniques similar to the ones used by Genesis Market. The threat actor behind these operations abused Node.js to act as a platform for the backdoor, Extended Validation (EV) Code Signing for defense evasion, and possibly Google Colab to host search engine-optimized download sites.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1059 T1574 T1102 T1036 T1553 T1055 T1059.001 T1176

Indicators of Compromise (2 / 24 total)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	812d99a3d89b8de1b866ac960031e3df	MD5 of 6817df1da376e8f6e68fd1ad06d78f02406b6e19	2023-11-24
FileHash-MD5	da354f956ee4d8d0bb714b4bda0c57f6	MD5 of 3364dd410527f6fc2c2615aa906454116462bf96	2023-11-24

References (2)

↗ https://www.trendmicro.com/en_us/research/23/k/attack-signals-possible-return-of-genesis-market.html ↗ https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/k/attack-signals-possible-return-of-genesis-market/iocs-attack-signals-possible-return-of-genesis-market.txt