KELA specialists drew attentionthat the Genesis trading platform, where they trade not just personal user data, but ready-made virtual personalities, has serious problems. So, the number of stolen credentials on the site has already decreased by 35% and continues to fall. This is due to the fact that the AZORult malware that steals user credentials does not work with fresh Chrome 80.
Let me remind you that the Genesis marketplace was described in detail by Kaspersky Lab researchers last year. This trading platform was launched at the end of 2018 and offered to purchase not just other people's personal data, but more than 60,000 ready-made virtual personalities, that is, the most detailed data on user behavior on the network: site visit history, information about the operating system, browser, installed plugins etc. By the end of 2019, there were already more than 335,000 ready-made “personalities” on the site.
Each set of digital fingerprints for sale includes credentials from various accounts (payment accounts, social media profiles, file sharing services, etc.), cookies, user-agent details, WebGL signatures, and other browser information and the victim’s computer (often more than 100 different parameters). Such data sets cost from 5 to 200 US dollars.
Moreover, for the convenience of their customers, Genesis operators have developed a special extension for Chrome – Genesis Security. It allows an attacker to use the purchased digital “mask” to recreate the virtual identity of its current owner and thereby deceive the security system.
After the publication of the Kaspersky Lab report, KELA experts put a lot of effort into studying Genesis and trying to figure out how it works. In particular, the experts were very interested in where the personal data in such quantity came from. One theory said that data from user machines was collected by a certain malware, but which one remained unclear.
As a result, KELA specialists were able to find out that 90% of all digital prints presented on the trading floor are associated with one kind of malvari. After examining the GUID format that was assigned to the victims, the experts concluded that they were most likely dealing with the well-known malware AZORult. This made sense, since AZORult was one of the most active and widespread species of malvari in 2019 and could well provide information on a Genesis-scale resource. Analysts write that, most likely, several hack groups managing the AZORult botnets at once delivered data to the marketplace.
But in February 2020, Google released Chrome 80, and with the release of this version, AES-256 was used to hash passwords in a browser (stored locally in the internal Chite SQLite database). Because of this, passwords in the browser began to be saved in a different format, and this trifle actually undermined the performance of AZORult, since it was hard for them to extract passwords from Chrome.
Let me remind you that the development of AZORult was discontinued in 2018. Probably, this was due to the fact that earlier the version of AZORult 3.2, as well as the source code of the administrative panel for controlling the botnet, became widely available. This version of Malvari actively spread to hacker forums where the user could download it and, with virtually no special skills, configure it for use for their own purposes. So now that Chrome 80 has "broken everything", you don’t have to wait for updates.
A small change in Chrome affected Genesis. So, last year about 18,000 new stolen digital fingerprints were added to the trading floor every day, and now this number has decreased by 30 times and amounts to approximately 600 new records per day. The marketplace began to gradually decrease in size, and the total number of stolen credentials has already decreased to about 200,000 – 230,000.
KELA researchers write that the release of Chrome 80 seems to be the second and final “death” of AZORult, because until recently, many groups used the leaked malware source code, but now the operation of AZORult is no longer meaningful.
Genesis operators have already begun to move to another malware. According to analysts, the data stolen by AZORult has already ceased to arrive on the trading floor, and gradually information appears stolen by other malware that has yet to be “identified”.
Experts predict that the market is likely to survive the final "death" of AZORult. The fact is that marketplace providers will soon realize that after the release of Chrome 80, AZORult became almost useless, switch to using other threats, and then revive their partnership with Genesis. However, it’s better for Genesis operators to hurry, as other and similar services (for example, RichLogs) have already appeared that can take advantage of the instability of the situation and seize the palm.