If Genesis Market has grown to such an extent, it is also because of the rise of infostealers. The success of this stolen access resale platform is indeed a reminder of the growing place taken in the cybercrime ecosystem by these malicious programs designed to steal information from infected devices.
The online marketplace Genesis Market, dismantled last week by Europol, the Dutch police and the FBI, had indeed become one of the hubs for the resale of information and identification cookies. Active since March 2018, the platform is suspected by American justice of having offered for sale more than 80 million compromised accesses.
2/x. Genesis Market trafficked “bots,” which is a bit different from the products on other automated dark web shops — like Russian Market or 2easy Shop.
These bots included compromised credentials from infostealer logs, as well as live browser fingerprints.
—Alexander Leslie (@aejleslie) April 4, 2023
Cryptocurrency theft
Admittedly, as cybersecurity company SocRadar points out, there are other methods of stealing credentials, such as credential stuffing, brute force or rainbow table attacks. But, for the company, the online market was first supplied with raw material by the campaigns of infostealers, such as Raccoon, AZORult or RedLine.
This software family also includes Redline, Mars and BlackGuard malware in its ranks, to name but a few.
A rapidly evolving threat that first developed by targeting the theft of cryptocurrencies, explains ZDNet.fr Soufyane Sassi, an expert at Recorded Future. Once the accesses to this financial information have been filtered, the remaining balance and the other compromised accesses are put up for sale by the operators of this type of software. This is information that interests them less, he adds.
Qualification of access
The Genesis platform precisely made it possible to better qualify stolen accesses, and therefore to sell them at a higher price, noted Livia Tibirna during the last conference on incident response and digital investigation (Coriin), which took place in Lille during the Forum international cybersecurity. This analyst works at Sekoia, a cybersecurity firm that recently identified a new infostealer, stealc.
On Genesis, buyers could thus filter their targets by country, targeted services or even obtain valuable authentication cookies, a way of circumventing multifactor authentication. But the platform was only one of the resale solutions for this kind of merchandise, valued at a sale price ranging from 1 dollar to 150 dollars, noted Cybelangel.
There are also stolen accesses sold or given away in bulk on other forums or on specialized Telegram channels, for example.
petty cybercrime
Like cybercrime, the ecosystem of infostealers has become more professional and structured in recent years “with the pooling of resources, knowledge and accessible marketplaces”, also underlined Livia Tibirna. Located at the start of the attack chain, these programs are more akin to petty cybercrime. But they have an important role, being able to be at the origin of the compromise of access which will then be used in a ransomware attack, for example.
And they can be used by more ambitious groups like Lapsus$, which relied on RedLine to gain access. In addition to the developers, these malicious programs sold the equivalent of a hundred euros are handled by traffers, these operators specialized in their exploitation and remunerated on commission. The latter, grouped into teams, mix several techniques to encourage their victims to install the infostealer.
For example, hacking a YouTube channel will encourage Internet users to install cracked, unlicensed software by sharing a link that is actually infected. Traffers also work on their referencing, to raise the top of the search engine results of dubious sites offering the download of cracked software there too. Finally, they buy advertising space on Google, responding for example to a request relating to the download of videoconferencing software. A very effective technique that allows you to take advantage of the very high trust placed in the search engine.