Security Bloggers Network 
SBN

Profiling the Internet Connected Infrastructure of the Genesis Market Cybercrime-Friendly Online Marketplace

by Dancho Danchev on April 6, 2023

Dear blog readers,

I’ve decided to take a deeper look inside the Internet connected infrastructure of the recently seized Genesis Market cybercrime-friendly marketplace with the idea to provide actionable intelligence and to assist vendors organizations and researchers including U.S Law Enforcement on its way to properly track down and monitor the cybercriminals behind these campaigns.

Related Genesis Market domains:

hxxp://sync[.]genesis-update[.]net

hxxp://sync[.]genesis-security[.]net

hxxp://g3n3sis[.]pro

hxxp://xmpp[.]genesis[.]market

hxxp://genesis[.]marjet

hxxp://g3n3sis[.]org

hxxp://sync[.]gsconnects[.]com

hxxp://g3n3sis[.]org

hxxp://g3n3sis[.]pro

hxxp://g3n3sis[.]me

Sample IPs known to have been involved in the campaign include:

  • 195[.]206[.]181[.]217

hxxp://sync.genesis-update.net

hxxp://sync.genesis-security.net

hxxp://g3n3sis.pro

hxxp://xmpp.genesis.market

  • 89[.]44[.]9[.]110

hxxp://genesis.marjet

hxxp://g3n3sis.org

hxxp://sync.gsconnects.com

  • 89[.]42[.]212[.]194
  • 163[.]172[.]125[.]48

hxxp://genesis.marjet

hxxp://g3n3sis.org

hxxp://sync.gsconnects.com

Sample related domains:

hxxp://softexpertupdate.com

hxxp://cms.softexpertupdate.com

hxxp://179.43.157.79.mywebccon.us

hxxp://seed.bitcoinstats.com

hxxp://dnsseed.bluematt.me

hxxp://psql04.exoffer.net

hxxp://pornnhub.net

hxxp://status.softexpertupdate.com

hxxp://www.exoffer.net

hxxp://portal.softexpertupdate.com

hxxp://server.softexpertupdate.com

hxxp://www.softexpertupdate.com

hxxp://mysql.softexpertupdate.com

hxxp://nationalcasino-pl.org

hxxp://g3n3sis.pro

hxxp://sync.genesis-security.net

hxxp://g3n3sis.org

hxxp://www.pornnhub.net

hxxp://mail.pornnhub.net

hxxp://vps.pornnhub.net

hxxp://ww1.pornnhub.net

hxxp://ftp.pornnhub.net

hxxp://vpn.pornnhub.net

hxxp://mx.pornnhub.net

hxxp://app.pornnhub.net

hxxp://hostmaster.pornnhub.net

hxxp://sync.genesis-update.net

hxxp://remote.pornnhub.net

hxxp://server.pornnhub.net

hxxp://stage.pornnhub.net

hxxp://citrix.pornnhub.net

hxxp://email.pornnhub.net

hxxp://files.pornnhub.net

Sample IPs:

  • 179[.]43[.]157[.]79
hxxp://exoffer[.]net – Email: lisadaley0024@gmail[.]com
hxxp://softexpertupdate[.]com – Email: proprivxx@rambler[.]ru
  • 179[.]43[.]157[.]79
hxxp://pornnhub[.]net – Email: mertvural@mynet[.]com; vuralmert@mynet[.]com
hxxp://exoffer[.]net
hxxp://123nextgift[.]com
hxxp://update-flash[.]net
hxxp://recallsystem[.]net
hxxp://flash-update[.]net
hxxp://k7m58z65g32t[.]net
hxxp://filesbase[.]net – Email: aleksei[.]rqbakov@mail[.]ru – hxxp://realstatistics[.]info; hxxp://webstatisticspro[.]net
hxxp://softexpertupdate[.]com
hxxp://pornnhub[.]net

Dots dots dots. We’ve already got the [email protected] email profiled here.

 Sample screenshots include:

Stay tuned!

*** This is a Security Bloggers Network syndicated blog from Dancho Danchev's Blog - Mind Streams of Information Security Knowledge authored by Dancho Danchev. Read the original post at: https://ddanchev.blogspot.com/2023/04/profiling-internet-connected.html

Dancho Danchev