Several phishing campaign kits have been widely utilized by threat actors in the past. One such popular PhaaS (Phishing-as-a-Platform) was Caffeine, which was initially identified and reported by Mandiant researchers.

Originally developed and maintained by an Arabic-speaking threat actor known as MRxC0DER, the Caffeine kit has undergone a rebranding and is now known as ONNX Store. While the kit is managed independently, the original developer continues to provide client support.

Currently, threat actors are leveraging this newly rebranded platform to target financial institutions through phishing emails. The ONNX Store offers a user-friendly interface accessible via Telegram bots, further enhancing its appeal to cybercriminals.

One notable feature of the ONNX store is its ability to bypass 2FA mechanisms, significantly increasing the success rate of business email compromise attacks. Reports reveal that the phishing pages utilized in these campaigns closely resemble the original Microsoft 365 login page, luring unsuspecting users to enter their authentication credentials.

The rebranding of Caffeine to ONNX Store was primarily focused on enhancing operational security for threat actors and their services. Unlike the Caffeine kit, which used a single shared web server to manage all phishing campaigns, ONNX Store allows threat actors to control their operations via Telegram bots, with support provided through a dedicated channel.

Some of the observed ONNX store channels and bots include:

– @ONNXIT: A Telegram user managing support needs from clients.
– @ONNX2FA_bot: A Telegram bot for clients to receive 2FA codes from successful phishing operations.
– @ONNXNORMAL_bot: A Telegram bot for clients to obtain Microsoft Office 365 login credentials.
– @ONNXWEBMAIL_bot: A Telegram bot for clients to control a Webmail server for sending phishing emails.
– @ONNXKITS_BOT: A Telegram bot for clients to make payments for ONNX Store services and track their orders.

The services offered by ONNX Store include Microsoft Office 365 phishing template generation, webmail services for sending phishing emails using social engineering lures, and bulletproof hosting and RDP services for cybercriminals to manage their operations securely.

To prevent domain shutdowns due to law enforcement interventions, the new setup of ONNX Store utilizes Cloudflare, which enables the evasion of website scanner detections through features like anti-bot CAPTCHA and IP proxying to mask the original hosting provider.

The ONNX Store offers various phishing tools at different price points, including Webmail Normal service, Office 2FA Cookie Stealer, Office Normal package, and Office Redirect Service. Additionally, the platform supports Quishing (QR-phishing) attacks, where QR codes distributed via phishing emails redirect victims to phishing landing pages.

Moreover, an encrypted JavaScript code is employed by the phishing kit to prevent detection by anti-phishing scanners. The code is decrypted upon page load, collecting victims’ network metadata before sending it to threat actors. The JS code is designed to steal 2FA tokens entered by victims.

ONNX Store also provides bulletproof hosting with SSL certificates to support multiple malicious campaigns. The advertised offerings include enhanced RAM, CPU, and SSD speeds, along with unlimited bandwidth for high-performance features.

Indicators Of Compromise associated with the ONNX Store phishing campaigns include phishing URLs and malicious PDF files used in these attacks. The bulletproof hosting services enable cybercriminals to operate with an additional layer of anonymity, facilitating a wide range of illegal activities.

As cybercriminals continue to evolve their tactics, it is crucial for organizations and individuals to remain vigilant against phishing attacks and take proactive measures to enhance their cybersecurity defenses.

Source link