A while back I was reminiscing about the good old days before genesis.market had been seized by the feds. What a time to be alive, you could buy access to live logs for pennies on the dollar compared to western cyberespionage agency prices, sooooo.... why don't we build our own?

genesis.market, the uhhh... genesis?

Many many moons ago when I was still on twitter I wrote a thread covering an infostealer data market called Genesis, it was a truly revolutionary move in the cybercrime industry, sleek UI, established success and I was given access to it by a well known Thrunter for free. Originally designed as a market to facilitate fraud, it quickly developed a secondary purpose of achieving targeted initial access. The original fraud features allowed you to filter the victims credential db for specific sites or tagged software, different tags carried different weights that affected the price of purchasing the browser identity, for example, the victim with only social media account logins saved will be considerably cheaper than one tagged with PayPal, Online Gambling or Banking.

To facilitate the fraud, genesis provided their own version of chromium that allowed you to import browser profiles stolen from the victims to impersonate any potential vectors for AML or AntiFraud detections.

You've probably realised by now why this is great for the average Initial Access Broker, but if you haven't, let's take a look at the average post on exploit.in or xss.is

We Take:
/vpn/index.html
/vpn/tmindex.html
/auth/login.aspx
/LogonPoint/tmindex.html
XenApp1/auth/login.aspx
auth/silentDetection.aspx
/citrix/
/remote/login
/global-protect/login.esp
/cgi-bin/welcome
/dana-na/auth/url_default/welcome.cgi
/+CSCOE+/logon.html
/RDWeb/webclient/
/RDWeb/Pages/
/logon/LogonPoint/
/portal/webclient/
/dana-na/auth
/my.policy

These are all login paths for common SSLVPN/RMM appliances that a threat actor is asking other users to search in their collection of logs.

Individual users will reply to this post in public or DM to negotiate the sale, changing the price depending on factors such as industry, amount of networked pc's, initial access rights and company value. (This in my opinion is key to genesis' albeit time-limited success, it was all automated, no need to haggle if you know exactly what you're getting. Further on in the article I'll touch on why I think Genesis had this easier than most.)

McGruff, the crime logs!

You might ask, Gilda, well where are you going to get these stealer logs? The internet, dear reader, the internet is where we're going to get them of course. And no before you ask, this is a crime free method that relies solely on threat actors advertising their own channels/log sales(commonly referred to as a "log cloud") on known forums, chat rooms etc, scrape enough of these free samples and you get approx 5bn records (pre deduplication).

Telegram is a goldmine of threat actor activity, from stealers to botnet install services it has everything a girl could need to stalk the stalkers. However, getting to use it's API makes it infinitely more useful in the hands of anyone doing OSINT or any other form of InfoSec.

A small challenge

So, as a exercise left to the reader(laziness), make your own telegram file downloader to start a personal copy of this dataset.

As a starting point: @cloud_arthouse Some hints:

• Not all the archives are equal, some may give you ULP data, some may be full browser dumps.
• Make sure you take note of the text of a post or the @username of the channel, they may be an archive password
• Attempt to crawl t.me/ or @channelname links, many threat actors will cross-link between stores

The Data Itself

Firstly, the format for this data sucks and I want to shoot whoever first standardised the crimeware scene on it. URL:LOGIN:PASS commonly referred to as ULP is a deceptively painful format once you realise that it is merely a suggestion, some threat actors may use different delimiters and some others may just throw them out the window completely to invent their own unique flavour, for example "U L:P" is another common format.

Secondly, the format is designed to be grepped over as a folder of .txt files for specific URL paths or login domains, it is neither machine nor human readable. Once you build out a simple parser that naively splits lines with 4 or more colons into the 3 constituent columns you may begin to realise that any one of the fields may logically contain any number of ":", e.g every single protocol handler in the URL field, any kind of ";JSESSIONID=" appended to a request(for the case of ; delim) and many different types of PWA that use query parameters that contain colons(proxmox as the first example in my head).

And finally, as mentioned earlier, some personal thoughts on what genesis was doing right with their data:

• Standardised machine readable log format(enforceable as you're the platform)
• Automated tagging, e.g PayPal/gambling/banking
• Automated pricing based on those tags
• Post-Compromise Devaluation, older logs would decrease in price until a set minimum

Stalkerware Hitlist

Late one night after eventually building a small webapp to query the data, Maia(@awawawhoami) showed me this list of Stalkerware IOCs (which honestly needs a good prune, there's a lot of stuff on there that doesn't belong), I will provide a few of my favourites from the small dataset I acquired:

• @pm.ce.gov.br - Brazilian Military Police - Customers of their home grown talent BrunoEspiao
• @customs.gov.lb - Customs Administration of Lebanon - Customers of http://spytomobile.com/ a now defunct Stalkerware site
• @forensicintelligencebureau.org - An Indian Private Forensic Science Lab with ISO 9001:2015 Certification - Customers of https://mobile-tracker-free.com (also what an amazing email domain)

The rest of this article intentionally left blank ;)