New PhaaS Platform Lets Attackers Bypass Two-Factor Authentication

Several phishing campaign kits have been used widely by threat actors in the past. One popular PhaaS (Phishing-as-a-Platform) was Caffeine, which was first identified and reported by Mandiant researchers. 

MRxC0DER, an Arabic-speaking threat actor, developed and maintained the caffeine kit.

However, Caffeine has now been discovered to be rebranded as ONNX Store and is found to be managed independently, but the original developer is taking care of the Client support.

Threat actors are currently using this new rebranded platform to target financial institutions through phishing emails.

Additionally, the ONNX store offers a user-friendly interface that can be accessed via Telegram bots.

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

Further, it also has the capabilities to bypass 2FA mechanisms which will increase the success rate of business email compromise attacks.

PhaaS Platform Bypass 2FA

According to the reports shared with Cyber Security News, the phishing pages used in these campaigns resemble the original Microsoft 365 login page that will convince any unsuspecting user to enter their authentication credentials.

As a matter of fact, the rebranding specifically focused on improving operational security for threat actors and their services.

While Caffeine kit used a single shared web server for managing all the phishing campaigns, this new ONNX store allows threat actors to control their operations via Telegram bots and support is provided by a support channel. Some of the observed ONNX store channels and bots are

• @ONNXIT: A Telegram user – manages support needs from clients.
• @ONNX2FA_bot: A Telegram bot for clients to receive 2FA codes from successful phishing operations.
• @ONNXNORMAL_bot: A Telegram bot for clients to receive Microsoft Office 365 login credentials.
• @ONNXWEBMAIL_bot: A Telegram bot for clients to control a Webmail server for sending phishing emails.
• @ONNXKITS_BOT: A Telegram bot for clients to make payments for ONNX Store services and track their orders.

This is one hand of the channels and the bots, whereas the Services offered include: 

• Microsoft Office 365 phishing template generation.
• Webmail service for sending phishing emails and using social engineering lures.
• Bulletproof hosting and RDP services for cybercriminals to manage their operations securely.

Cloudflare To prevent Domain Shutdowns

In several instances, Law Enforcement fought against these cybercriminal operations that have resulted in domain shutdowns to prevent further activities.

However, this new setup uses Cloudflare to delay the takedown process of phishing domains, which provides features like anti-bot CAPTCHA to evade website scanner detections and IP proxying to hide the original hosting provider.

Further, the cost of different phishing tools is as follows:

• Webmail Normal service ($150/Month): Offers customizable phishing pages and webmail server.
• Office 2FA Cookie Stealer ($400/Month): A phishing landing page that captures 2FA tokens and cookies from victims, featuring statistics, country blocking, and email grabbing.
• Office Normal package ($200/Month): Enables email credential harvesting capabilities without bypassing 2FA.
• Office Redirect Service ($200/Month): Advertised by ONNX Store as creating “Fully Undetectable (FUD) links”. This service exploits trusted domains, such as bing.com, to redirect victims into attacker controlled phishing landing pages.

As added information, this new PhaaS platform also allows Quishing (QR-phishing) attacks in which threat actors distribute PDF documents via phishing emails that will contain a QR code. 

If these QR codes are scanned, it will redirect the victim to a phishing landing page. Further, most of the phishing emails impersonated reputable services like Adobe or Microsoft 365.

Encrypted JS Code To Evade Detection

Adding to its arsenal, this phishing kit also uses an encrypted Javascript code that will only decrypt when the page loads.

This prevents anti-phishing scanners from detecting these phishing domains. 

Once the JS code decrypts, third-party domains such as “httbin[.]org” and “ipapi[.]co” collect the victims’ network metadata, such as browser name, IP address, and location, before sending it to threat actors.

The encryption method also hides malicious scripts which follow the below approaches

• Encoded string is decoded from base64
• Every character of the decoded string is XORed with a character from the hardcoded key, cycling through the key for the decryption.
• The result is a decrypted string (JavaScript code), which is then executed by the browser.

These hidden malicious scripts cannot be viewed during a casual inspection. However, if the key and the encrypted string are known, it can be decrypted easily.

However, the decrypted JS code was also designed to steal the 2FA token entered by the victims.

Bulletproof Hosting For Cybercriminals

The phishing domains registered have SSL certificates, which GTS CA 1P5 issued from Google Trust Services LLC.

Further, most of the registered domains were through NameSilo and EVILEMPIRE-AS.

Further, these bulletproof hosting services enabled cybercriminals an additional layer of anonymity.

In addition, there were services designed to support a wide range of illegal operations.

The advertisement on a Telegram group stated that the Bulletproof hosting was under development and they were adding RDP sessions.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

Further, this new ONNX store is also mentioned to support multiple malicious campaigns with high-performance features using enhanced RAM, CPU, and SSD speeds and unlimited bandwidths.

Indicators Of Compromise

Phishing URLs

• authmicronlineonfication[.]com
• verify-office-outlook[.]com
• stream-verify-login[.]com
• zaq[.]gletber[.]com
• v744[.]r9gh2[.]com
• bsifinancial019[.]ssllst[.]cloud
• 473[.]kernam[.]com
• docusign[.]multiparteurope[.]com
• 56789iugtfrd5t69i9ei9die9di9eidy7u889[.]rhiltons[.]com
• agchoice[.]us-hindus[.]com

Malicious PDF Files

• 432b1b688e21e43d2ccc68e040b3ecac4734b7d1d4356049f9e1297814627cb3
• 47b12127c3d1d2af24f6d230e8e86a7b0c661b4e70ba3b77a9beca4998a491ea
• 51fdaa65511e7c3a8d4d08af59d310a2ad8a18093ca8d3c817147d79a89f44a1
• f99b01620ef174bb48e22e54327ca9cffa4520868f49a41c524b81ab6d935070
• 52e04c615b08af10b4982506c1cee74cb062116d31f0300ed027f6efd3119b1a
• 3d58733b646431a60d39394be99ff083d6db3583796b503e8422baebed8d097e
• 702008cae9a145741e817e6c6566cd1d79c737d51b718f13a2d16d72a00cd5a7
• 908af49857b6f5d1e0384a5e6fc8ee53ca1df077601843ebdd7fc8a4db8bcb12
• d3b03f79cf1d088d2ed41e25c961e9945533aeabb93eac2d33ebc4b589ba6172
• 4751234ac4e1b0a5d4685b870de1ea1a7754258977f5d1d9534631c09c748732