How to take cookies from the Cookie Monster: Genesis Market Takedown

so I'm gonna introduce our next speaker and this gentleman has actually explored the Wild Wild web our next speaker has is the one who took down the Genesis market and y'all not are not going to want to miss this because John focker he has previously from the Dutch national high-tech crime unit or as they say it in Dutch team high tech crime team high-tech crime that sounds like an amazing television watch uh television show I like to watch and in fact the Dutch police produced documentaries all about how they take down criminals so John is a principal engineer at trellix he leads the threat intelligence group and he's the one who worked with the Dutch national high-tech crime unit and he's the one who helped take down the criminals and the Genesis market so John is going to take us through how to take cookies from the cookie monster take it away John the stage is yours thank you for being here thank you hi thank you so much and welcome I guess everybody leaving the room were actually customers of Genesis market and they already know the story so they can leave um I'm fortunate enough that oh I heard it that's the timer sorry I'm fortunate enough that I work with trellix and I work with ventrilux Advance Research Center and I run a threat intelligence team or the intelligence group and that team covers cyber crime and nation-state actors across the globe 24 7. and that research helps us improve our products but also our own products and do research and publish about it and once in a while it allows us to do some really really cool things and that is for instance for the greater good helping law enforcement so hands up who knows who the Cookie Monster is I'll be disappointed if somebody has not raised their hands so who knows who the Cookie Monster is okay everybody knows it who knows what Genesis Market is good well I'll promise you after this talk you will know what Genesis Market is and why it's important how we got approached in this whole story is a bit different this is literally me on the day that the police called um it was a couple of months ago I was skiing I had a well-deserved holiday and I was on top of the slope I was like click click ready to go and then my phone ring and I was like ah shall I take it or not and it was unknown number normally I'd never pick up an unknown number for this reason I picked up and it was hey hey John this is uh what you would call it from the police we have something interesting I was like oh do tell we need your help it's almost like they call the A-Team but anyways they said we need your help with something we cannot tell you what it is it is secret and we're like okay is it that secret but um anyways let's call and meet up physically when you're back from your holiday and uh let's have a talk so funny enough a week later I went to the police station we had to sign an NDA and then they told us we are going to take down Genesis Market but we need your help and we weren't the only private sector entity there was another company as well and they asked for some specific things and I was like great this is awesome because Genesis Market has been around for quite a while and it's finally time that somebody's taking a dab so this is how we got involved and this was the outcome so if you are familiar with Jenna's Market or you've read the news this is what it looked like when they took it down the familiar splash screen and everything else all those banners um what is interesting is that they did more than 200 arrests during that day so it was a multi-operation it was not only about taking down the site finding out who the victims are remediation all these things no it was about attribution and apprehending their customers so think of it a global operation that started in Australia all the way to the U.S of more than 200 arrests but when did it start just like a fairy tale or Once Upon a Time in the West it started in 2018 already this is the original advertisement the Genesis Market made on exploit a cyber criminal Forum where they introduced themselves up till that time you had other markets black pass and other things that were selling credentials that were stolen but this was a little different and at the time I was like oh this is really relevant or whatever but they what they were offering was browser fingerprints or browser cookies so basically anything that identifies you as you on your browser they were stealing and they were selling complete profiles up until that time there were mostly shops selling credentials username passwords and that was enough but with the rise of multi-factor authentication they actually provided something to circumference and they were around our team has been around this forum quite a bit we stayed there we we didn't really interact we didn't buy anything we acted like a fly on the wall That's obviously uh very often a really good tactic to be the fly on the wall not to look uh just to look and see what happens and when we zoom in if you're not familiar what are the dangers of Genesis so like I said it has everything you need to take over in account who in this room goes online shopping hence everyone that's easy I always ask easy questions that everybody can raise their hands so I can imagine that if you go online shopping you might have seen either from your browser that says do you trust this site who clicks yes and now nobody raises their hands I knew it we're all Security Professionals maybe one or two so when that happens or when you have to do an authentication to their website and you log in and then you do something else you grab a coffee you open up a different screen you come back and then you come back to the website and you don't have to authenticate it already knows like hey John you're back I think we all have experienced that the mechanism that makes sure that you don't have to log in so that convenience the usability that's the Achilles heel that Genesis Market is targeting because the online services do this by planting cookies taking elements from your browser taking elements of your computer your language settings and all these things and storing them and then storing them locally in it and comparing it to what they have and they say yes this is still John he authenticated prior we still trust him because all these parameters are in place these parameters are stored locally so what Genesis Market does the malware that they have they steal these parameters they bundle it up in a package and they sell it so if you have all those parameters and there's even a proxy you can successfully take over this account they have malware we're going to look at that a little bit funny enough I was sending in my slides and Microsoft Defender went haywire because of the malware detection names yeah it's funny talk about being sensitive but anyways the malware that they use is very interesting because it's it's not even that obfuscated it's not even super sophisticated it is literally just right there but nobody sees it because there's no mechanisms that really checks it and removing the malware doesn't alleviate a problem because your credentials and everything is already gone so if you just remove the malware the criminals can still have your credentials and by using this this website it is an effective way to bypass multi-effector authentication so if a service uses a pre-authentication or they they have elements that they use to check if you're pre-authenticated if you can log in so that they already know you that's the Achilles heel that this website is targeting and we're talking not only about your Amazon or your Facebook or whatever now this is Banks corporate logins and all these things we were able to trace users of Genesis Market to ransomer attacks so this is something that a lot of initial access Brokers are using to gain that initial foothold to build up their reputation um on the network get more credentials and all these things and sell it off so the corporate credentials that's that's the worrying thing trellix is a company that targets this um their appliances are mostly again for Enterprises so we look at the major threats and this is also a lot of consumers are being targeted through this but during covet and mind you this website was up in 2018 and during the covet pandemic everybody had to work from home not all companies had adequate security measures on people's own laptops so if that laptop was actually infected with the malware here those corporate credentials from your Office 365 or whatever it is that you log into your corporate environment got stolen as well so you can see that they could have a really big impact so all good John but what are we talking about what's the size what's the skill so on the screen on the on the side you see a screenshot of the Genesis Market it looks very plain very simple but this we call it almost the Amazon of stolen credentials and online profiles in their showroom they had more than 450 000 very neatly organized online profiles you can click on them get everything and everything was structured perfectly working with the police we actually learned that was only the showroom in the back that had even more about 1.5 million credentials so if there's one takeaway here from the story here and you go home and you haven't done it already check either half I've been pound or check through the Dutch Police website if you are in this dump because it could save you a lot of headaches um there were more than 225 countries listed so it's not only on the U.S it's almost every country in the world they had credentials and it's interesting because the price ranged for the amount of logins or the amount of online services that you had in your in your profile so if you have for instance a US profile you had several Banks you had several online shops maybe social media profiles and all that stuff that would raise the price whereas yeah if you're in let's say Timbuktu and you have only one login for one thing when you got infected very unlucky you'll probably be on the cheaper end and what was interesting they did real-time updates so the victims weren't aware every time they updated their password or changed anything and the malware was still there got siphon off instantly updated and this website made it very clear it's like hey there's new fresh logins all these things so you can see in the bottom Google Amazon PayPal Netflix you name it so if somebody's using your Spotify or your Netflix it might be this when we zoom in on one of those accounts if we want to purchase them and this is the website you can see that there's for instance this is a Dutch account which you see here and if you have really good eyes and you can zoom in there's a couple of things if you're Dutch you got might get triggered let's see if the laser works this one here obviously it's very highly secured but that's our government login for your social security so any governmental service if you have to do your taxes or anything else is linked through that website very lucky for that website that it has a different authentication method so it's not susceptible to this attack but you can imagine if you just had a government website with basic MFA it's in this data set and as a user of Genesis Market let's say we're buyers you can just log in click on this profile you deposit some money and you can grab these credentials all these elements so how do you commit the fraud or how do you take over that account well Genesis was like the Amazon and made it easy they had the proprietary browser so they have a about browser based on Chrome that they've modified and you could actually purchase or download that browser if you were a member and you've already downloaded credentials and you can use this browser to load your stolen credentials in even activate a proxy through the victims machine and then assume the identity of the victim what is interesting is that you cannot download the browser you need it to purchase credentials that's a mechanism that this store does to raise the bar because by doing so you actually commit a crime you purchase stolen credentials from somebody else you commit a crime in order to get the browser well an older version of the browser was on VT and we got a copy of the browser through uh through the police luckily so we were able to do some research so that leaves us with a question for myself because when I looked at 2018 at the Genesis Market when we were on the forums we saw that they're also advertising and asking for other commodity malware families to say well we'll buy your logs we'll buy your excess we want to partner with you contact us in a DM so that means like Dana bot fedar stealer maybe Redline all these info Steelers were doing business with Genesis Market but the site as you just see or saw is very neatly organized so how did it go from having these Partnerships with other malware families to having that neatly organized store I was like are they doing this all by hand organizing this because every piece of commodity malware has different functionalities different ways of storing data different data structures different taxonomies that must be a headache well actually they had their own malware so when we look at the infection chain how they did it and this was the example we were lucky enough that in this case Dutch police has done several online purchases of the credentials they were able to locate the victim they were able to go to that specific victim and grab the information from the victim's machine they were sharing this information with us so only the malware only the malicious code and they asked us drillex okay but how does this work how did the victim become infected in this case the victim actually was very interesting they were semi-securely security aware um they used torrent sites to download a competitor AV of us which was obviously affected with malware so that's like a catch-22 or I would call it it's unlucky you go and download something to get yourself protected and actually you open up a back door but anyways um the binary that they downloaded contained Dana bot and then about injected themselves they created a foothold on the system and uh in this case we believe that the Dana watt access was sold to Genesis market and what Genesis Market did was use that access to launch their own uh we call it malware it's a JavaScript based it's actually a browser extension so what they did was the Chrome browser is really good at detecting attacks coming through the web so they're really good at that because you have to iframe attacks and all that stuff for credential theft and banking fraud they made a really good solid structure however the back door on the system itself is the system itself is infiltrated it was Child's Play to inject a malicious extension into the Chrome browser and have it just sit there in plain sight these criminals didn't even take a lot of methods or measures to obfuscate their code it was pure JavaScript it was all there so they use that browser extension which hides amongst many other browser extensions to grab data from the machine what's interesting is that we can go into the whole code a browser extension that has C2 communication I can understand that some browser extensions want to have some statistics that they would send over but examining the code we can see something interesting especially up there because if you know what it is speaking out to a Bitcoin address they request the information through a Bitcoin address well I have never seen a browser extension in my life do this and what was interesting is that they just checked it on the blockchain and they got a response and the response wasn't base 58. and the Response Code was actually well encoded base68 and that translated to a C2 domain you rabbit this is very interesting um I think a month ago Kaspersky published a piece of research on something similar they named it differently it had the exact same C2 server so we kind of called them it's like hey guys maybe you should read Genesis market and our blog because I'm pretty sure you're looking at Genesis market so it's interesting to see that even though our efforts are there to distribute the malware code and signatures and everything to our industry peers there are still infected machines out there so what did its deal I named a couple of things but if we look at all the features it goes anywhere from your screen grab your monitor memory CPU stage all kinds of things there's a whole list you can read it all in our in our paper and then right at the bottom It also says the proxy that is what makes it interesting because a lot of these safeguards in online services they check your IP address they check if you are you based on your IP well this malware just uses your machine as a proxy and you root the traffic through it and you can take it over when we look at the miter techniques we just have it as a repository for us it's very helpful because we communicate to our customers and the base our remediation on it so you see all the familiar stuff credential access stealing web session cookies all these things proxies so it's it's very familiar stuff if you're if you're familiar with miter techniques so we have over 600 million sensors in the world with our company we have 41 000 customers globally and what is interesting is that based on the malware that we got we were building remediation we were sharing this at the appropriate time because obviously you can imagine this is an operation when it started it took several days and there was a timeline so you we could not share the malware early because we might tip off the criminals so we had to do some some some other work but we also ran the Telemetry on the malicious files across the globe and what you see here in the screenshot of of the world is what we saw in this region so yes Israel is also impacted and other countries like turkey as well so this is from April 5th this year the Telemetry that we saw and it's not Millions it's not thousands we're talking about hundreds of machines but still these artrelx customers impacted by Genesis Market the contributions that we did for Genesis were as you can see the malware analysis but we also wrote remediation advice because the police is great at catching criminals but not the best in writing remediation advice so they need some help so we helped out to write a remediation advice directed at consumers but also at corporate entities I can assume that most of the people here work for a company so what do you do if your company is being targeted by a criminal that's using these type of credentials how do you detect that stuff how do you detect stolen credential usage in this way because they do a lot of efforts to fly on the radar so internally we have a nice portfolio that we use to to uh to align this and lastly sample sharing because this is these are one of these unique moments in time where you're allowed to help out and it's not about keeping the carts close to your chest but when the time comes to share you need to share this with the community you need to make people aware that this threat is out here so we did that as soon as the takedown notice was there the big screen we could share it on VT we shared it through our internal Channels with semantic Microsoft and everybody else so everybody is aware and uh judging by the difficulties we have with my presentation I think Microsoft went very thoroughly thoroughly so they uh they blocked it quite well and all this with the with the arrest led to yeah we could say we took the cookies from the cookie monster does this end the story the people that were arrested were the buyers were the users globally the admins of the store were based in a different country there's no extradition treaty with them they're based in the Russian Federation the clear websites of the store were taken down but the Tour webs