Pulse Detail — Threat Intelligence

PULSE NAME

Attack Signals Possible Return of Genesis Market, Abuses Node.js, and EV Code Signing

WHITE AlienVault 2023-11-24 Modified: 2023-12-24

IOCs

MEDIUM VOLUME

The Trend Micro Managed XDR team encountered malicious operations that used techniques similar to the ones used by Genesis Market. The threat actor behind these operations abused Node.js to act as a platform for the backdoor, Extended Validation (EV) Code Signing for defense evasion, and possibly Google Colab to host search engine-optimized download sites.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1059 T1574 T1102 T1036 T1553 T1055 T1059.001 T1176

Indicators of Compromise (5 / 24 total)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-SHA1	3364dd410527f6fc2c2615aa906454116462bf96	SHA1 of cb99365bac3d168e295aa0764a1c67e1a7e582731880ad0522e9b6b3616275df	2023-11-24
FileHash-SHA1	43f11d6ec961fc82cf53e4eca97c429285026f3e	—	2023-11-24
FileHash-SHA1	506accb774d2a2be4b0ee3bdd3c549f09684ab9b	—	2023-11-24
FileHash-SHA1	6817df1da376e8f6e68fd1ad06d78f02406b6e19	—	2023-11-24
FileHash-SHA1	e3887b1eddbdd9d4e5b042a85909b69919204570	—	2023-11-24

References (2)

↗ https://www.trendmicro.com/en_us/research/23/k/attack-signals-possible-return-of-genesis-market.html ↗ https://www.trendmicro.com/content/dam/trendmicro/global/en/research/23/k/attack-signals-possible-return-of-genesis-market/iocs-attack-signals-possible-return-of-genesis-market.txt