Return of Genesis Market: Hackers Exploited Node.js and EV code signing

In the labyrinthine landscape of cyber threats, the Trend Micro Managed XDR team has uncovered a malevolent symphony echoing the tactics employed by the infamous Genesis Market. 

Trend Micro Managed XDR, or Extended Detection and Response, is a comprehensive cybersecurity solution provided by Trend Micro, a global leader in cybersecurity solutions.

This nefarious threat actor has deployed a sophisticated arsenal, leveraging Node.js as a backdoor platform, deploying Extended Validation (EV) Code Signing for elusive defense evasion, and, intriguingly, potentially exploiting Google Colab to host search engine-optimized download sites.

Document
Protect Your Storage With SafeGuard

Is Your Storage & Backup Systems Fully Protected? – Watch 40-second Tour of SafeGuard

StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.

At the heart of this cyber saga lies the strategic misuse of Node.js, a popular JavaScript runtime. 

Exploiting its capabilities, the threat actor establishes a covert backdoor, granting them a platform for executing surreptitious commands on infected systems, reads Trend Micro report.

This covert maneuver poses a severe threat to users, opening the gateway for malicious payloads like the formidable Lu0bot malware.

Hackers Exploited Node.js and EV Certificate
Infection chain 
TimelineActivity
T0The file, microsoft_barcode_control_16.0_download.exe, (3364dd410527f6fc2c2615aa906454116462bf96) is downloaded using a browser
+ 20 secondsThe file is executed by the user
+ 1 minute and 15 secondsThe first payload is executed
+ 1 secondThe second payload is executed.
+ 13 secondsThe first backdoor command is executed via lu0bot.
+ 3 mins 20 secondsThe last backdoor command is executed via lu0bot.

Observed Timeline of Events

EV Code Signing: A Shield of Deception

In a calculated move to remain undetected, the malicious actors wield the power of Extended Validation (EV) Code Signing. 

By compromising this security measure, the threat actors obtain access to private keys, allowing them to sign their malicious code with a veneer of legitimacy. 

This manipulation facilitates stealthy operations and heightens the danger of compromised systems.

In an unexpected turn, the malevolent forces possibly exploit the unsuspecting Google Colab as a host for search-engine-optimized download sites. 

This strategic choice amplifies the reach of their nefarious operations, ensnaring users who unsuspectingly navigate the virtual realm, potentially compromising their digital fortresses.

The attackers hone in on unsuspecting users engaged in file downloads from the internet, including those transmitted through social media or chat applications. 

This insidious strategy extends its reach, capitalizing on users’ vulnerabilities in navigating the expansive digital sphere.

Unveiling the Key Findings: A Cat-and-Mouse Game

Several key findings emerge from this cyber cat-and-mouse pursuit, notably the adversaries’ adept use of EV code signing and the inconspicuous harbor of malicious content within the confines of Google Colab.

As users navigate the perilous waters of the internet, fortified defenses are imperative. 

Recommendations include vigilant scrutiny of downloaded files, verification of sender identities in social media or chat apps, wariness of unusual file extensions, and the dutiful commitment to regular software updates. 

These defensive measures serve as a shield against the ever-evolving tactics of cyber adversaries.

Embark on this journey into the digital shadows, where cyber intricacies unfold and defenders stand resilient against the encroaching darkness. 

The revelations from the Trend Micro Managed XDR team underscore the urgency for users to fortify their cyber defenses and navigate the virtual realm with heightened vigilance.

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.

Sujatha is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under her belt in Cyber Security, she is covering Cyber Security News, technology and other news.