Exploring the Genesis Supply Chain for Fun and Profit

Research: Part 1 – Misadventures in GUIDology by Raveed Laeb, Product Manager

This is the first post in a series of posts reviewing the supply chain of the Genesis Store market – a likely-Russian threat actor operating a successful, borderline innovative, pay-per-bot store since 2018. The following post features a quick-and-easy methodology breaking down over 335,000 unique Genesis infections into four malware groups, allowing us to attribute over 300,000 AZORult infections to the Genesis actors currently involved in campaigns resulting is tens of thousands of new AZORult infections per month. Furthermore, it seems Genesis isn’t necessarily leading these campaigns, but rather working with various Malware-as-a-Service (MaaS) providers and cybercrime services.

This discovery, linking Genesis with widely known commodity malware, highlights the ongoing threat to organizations and the proliferation of illegal data obtained from infections. It also sheds light on the supply chain relationships between actors operating within the cybercrime financial ecosystem (read: Dark Net); we’ll explore this theme, including specific actors and trends, in the next posts.

Uncovering the Anonymity Cloak

KELA's Research Team

Due to its anonymity, the Darknet is flooded with threat actors working together to share information, services, and knowledge required to carry out successful cyber-attacks, particularly within the cybercrime financial ecosystem.

We’ve uncovered the real identity of a threat actor dubbed SaNX – a handle that has become an infamous one among many security departments of numerous leading corporations worldwide. Here, we’ll also reveal his activities, other handles in the Darknet, and affiliations to other hacking groups.

One Attacker's Trash is Another Attacker's Treasure: A New Ecosystem Drives Cybercrime Innovation

Raveed Laeb, Product Manager

The cybercrime financial ecosystem constantly adapts to meet innovative, emerging business needs. Buyers are interested in gaining the most data in the easiest, most frictionless way possible – and threat actors are glad to lend a helping hand: from Malware-as-a-Service, to monthly subscriptions and data breaches, new services are popping up on a daily basis.
This entry focuses on one interesting trend taking hold in many communities: the direct and targeted selling of data obtained from banking Trojans and infostealers. This is carried out both directly by threat actors in cybercrime communities and throughout specialized automated markets, and emphasizes a threat against enterprises: actors monetizing corporate credentials. However, these robust and vibrant markets also provide a great theatre for intelligence collection and an opportunity for defenders to have a look directly into cybercriminals’ operations.