Several phishing campaign kits have been used widely by threat actors in the past. One popular PhaaS (Phishing-as-a-Platform) was Caffeine, which was first identified and reported by Mandiant researchers.
MRxC0DER, an Arabic-speaking threat actor, developed and maintained the caffeine kit.
However, Caffeine has now been discovered to be rebranded as ONNX Store and is found to be managed independently, but the original developer is taking care of the Client support.
Threat actors are currently using this new rebranded platform to target financial institutions through phishing emails.
Additionally, the ONNX store offers a user-friendly interface that can be accessed via Telegram bots.
Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan
Further, it also has the capabilities to bypass 2FA mechanisms which will increase the success rate of business email compromise attacks.
According to the reports shared with Cyber Security News, the phishing pages used in these campaigns resemble the original Microsoft 365 login page that will convince any unsuspecting user to enter their authentication credentials.
As a matter of fact, the rebranding specifically focused on improving operational security for threat actors and their services.
While Caffeine kit used a single shared web server for managing all the phishing campaigns, this new ONNX store allows threat actors to control their operations via Telegram bots and support is provided by a support channel. Some of the observed ONNX store channels and bots are
This is one hand of the channels and the bots, whereas the Services offered include:
In several instances, Law Enforcement fought against these cybercriminal operations that have resulted in domain shutdowns to prevent further activities.
However, this new setup uses Cloudflare to delay the takedown process of phishing domains, which provides features like anti-bot CAPTCHA to evade website scanner detections and IP proxying to hide the original hosting provider.
Further, the cost of different phishing tools is as follows:
As added information, this new PhaaS platform also allows Quishing (QR-phishing) attacks in which threat actors distribute PDF documents via phishing emails that will contain a QR code.
If these QR codes are scanned, it will redirect the victim to a phishing landing page. Further, most of the phishing emails impersonated reputable services like Adobe or Microsoft 365.
Adding to its arsenal, this phishing kit also uses an encrypted Javascript code that will only decrypt when the page loads.
This prevents anti-phishing scanners from detecting these phishing domains.
Once the JS code decrypts, third-party domains such as “httbin[.]org” and “ipapi[.]co” collect the victims’ network metadata, such as browser name, IP address, and location, before sending it to threat actors.
The encryption method also hides malicious scripts which follow the below approaches
These hidden malicious scripts cannot be viewed during a casual inspection. However, if the key and the encrypted string are known, it can be decrypted easily.
However, the decrypted JS code was also designed to steal the 2FA token entered by the victims.
The phishing domains registered have SSL certificates, which GTS CA 1P5 issued from Google Trust Services LLC.
Further, most of the registered domains were through NameSilo and EVILEMPIRE-AS.
Further, these bulletproof hosting services enabled cybercriminals an additional layer of anonymity.
In addition, there were services designed to support a wide range of illegal operations.
The advertisement on a Telegram group stated that the Bulletproof hosting was under development and they were adding RDP sessions.
Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free
Further, this new ONNX store is also mentioned to support multiple malicious campaigns with high-performance features using enhanced RAM, CPU, and SSD speeds and unlimited bandwidths.
Reports have emerged of a potential data breach involving EazyDiner, a leading restaurant reservation platform.…
A critical vulnerability has been discovered in Salesforce applications that could potentially allow a full…
A significant vulnerability has been identified in TP-Link's HomeShield function, affecting a range of their…
APT36, a Pakistani cyber-espionage group, has recently upgraded its arsenal with ElizaRAT, a sophisticated Windows…
A Russian court has sentenced Stanislav Moiseyev, believed to be the founder of the notorious…
With Sweet, customers can now unify detection and response for applications, workloads, and cloud infrastructure …