Several phishing campaign kits have been used widely by threat actors in the past. One popular PhaaS (Phishing-as-a-Platform) was Caffeine, which was first identified and reported by Mandiant researchers.
MRxC0DER, an Arabic-speaking threat actor, developed and maintained the caffeine kit.
However, Caffeine has now been discovered to be rebranded as ONNX Store and is found to be managed independently, but the original developer is taking care of the Client support.
Threat actors are currently using this new rebranded platform to target financial institutions through phishing emails.
Additionally, the ONNX store offers a user-friendly interface that can be accessed via Telegram bots.
Scan Your Business Email Inbox to Find Advanced Email Threats – Try AI-Powered Free Threat Scan
Further, it also has the capabilities to bypass 2FA mechanisms which will increase the success rate of business email compromise attacks.
PhaaS Platform Bypass 2FA
According to the reports shared with Cyber Security News, the phishing pages used in these campaigns resemble the original Microsoft 365 login page that will convince any unsuspecting user to enter their authentication credentials.
As a matter of fact, the rebranding specifically focused on improving operational security for threat actors and their services.
While Caffeine kit used a single shared web server for managing all the phishing campaigns, this new ONNX store allows threat actors to control their operations via Telegram bots and support is provided by a support channel. Some of the observed ONNX store channels and bots are
@ONNXIT: A Telegram user – manages support needs from clients.
@ONNX2FA_bot: A Telegram bot for clients to receive 2FA codes from successful phishing operations.
@ONNXNORMAL_bot: A Telegram bot for clients to receive Microsoft Office 365 login credentials.
@ONNXWEBMAIL_bot: A Telegram bot for clients to control a Webmail server for sending phishing emails.
@ONNXKITS_BOT: A Telegram bot for clients to make payments for ONNX Store services and track their orders.
This is one hand of the channels and the bots, whereas the Services offered include:
Microsoft Office 365 phishing template generation.
Webmail service for sending phishing emails and using social engineering lures.
Bulletproof hosting and RDP services for cybercriminals to manage their operations securely.
Cloudflare To prevent Domain Shutdowns
In several instances, Law Enforcement fought against these cybercriminal operations that have resulted in domain shutdowns to prevent further activities.
However, this new setup uses Cloudflare to delay the takedown process of phishing domains, which provides features like anti-bot CAPTCHA to evade website scanner detections and IP proxying to hide the original hosting provider.
Further, the cost of different phishing tools is as follows:
Webmail Normal service ($150/Month): Offers customizable phishing pages and webmail server.
Office 2FA Cookie Stealer ($400/Month): A phishing landing page that captures 2FA tokens and cookies from victims, featuring statistics, country blocking, and email grabbing.
Office Normal package ($200/Month): Enables email credential harvesting capabilities without bypassing 2FA.
Office Redirect Service ($200/Month): Advertised by ONNX Store as creating “Fully Undetectable (FUD) links”. This service exploits trusted domains, such as bing.com, to redirect victims into attacker controlled phishing landing pages.
As added information, this new PhaaS platform also allows Quishing (QR-phishing) attacks in which threat actors distribute PDF documents via phishing emails that will contain a QR code.
If these QR codes are scanned, it will redirect the victim to a phishing landing page. Further, most of the phishing emails impersonated reputable services like Adobe or Microsoft 365.
Encrypted JS Code To Evade Detection
Adding to its arsenal, this phishing kit also uses an encrypted Javascript code that will only decrypt when the page loads.
This prevents anti-phishing scanners from detecting these phishing domains.
Once the JS code decrypts, third-party domains such as “httbin[.]org” and “ipapi[.]co” collect the victims’ network metadata, such as browser name, IP address, and location, before sending it to threat actors.
The encryption method also hides malicious scripts which follow the below approaches
Encoded string is decoded from base64
Every character of the decoded string is XORed with a character from the hardcoded key, cycling through the key for the decryption.
The result is a decrypted string (JavaScript code), which is then executed by the browser.
These hidden malicious scripts cannot be viewed during a casual inspection. However, if the key and the encrypted string are known, it can be decrypted easily.
However, the decrypted JS code was also designed to steal the 2FA token entered by the victims.
Bulletproof Hosting For Cybercriminals
The phishing domains registered have SSL certificates, which GTS CA 1P5 issued from Google Trust Services LLC.
Further, most of the registered domains were through NameSilo and EVILEMPIRE-AS.
Further, these bulletproof hosting services enabled cybercriminals an additional layer of anonymity.
In addition, there were services designed to support a wide range of illegal operations.
The advertisement on a Telegram group stated that the Bulletproof hosting was under development and they were adding RDP sessions.
Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free
Further, this new ONNX store is also mentioned to support multiple malicious campaigns with high-performance features using enhanced RAM, CPU, and SSD speeds and unlimited bandwidths.
Indicators Of Compromise
Phishing URLs
authmicronlineonfication[.]com
verify-office-outlook[.]com
stream-verify-login[.]com
zaq[.]gletber[.]com
v744[.]r9gh2[.]com
bsifinancial019[.]ssllst[.]cloud
473[.]kernam[.]com
docusign[.]multiparteurope[.]com
56789iugtfrd5t69i9ei9die9di9eidy7u889[.]rhiltons[.]com
agchoice[.]us-hindus[.]com
Malicious PDF Files
432b1b688e21e43d2ccc68e040b3ecac4734b7d1d4356049f9e1297814627cb3
47b12127c3d1d2af24f6d230e8e86a7b0c661b4e70ba3b77a9beca4998a491ea
51fdaa65511e7c3a8d4d08af59d310a2ad8a18093ca8d3c817147d79a89f44a1
f99b01620ef174bb48e22e54327ca9cffa4520868f49a41c524b81ab6d935070
52e04c615b08af10b4982506c1cee74cb062116d31f0300ed027f6efd3119b1a
3d58733b646431a60d39394be99ff083d6db3583796b503e8422baebed8d097e
702008cae9a145741e817e6c6566cd1d79c737d51b718f13a2d16d72a00cd5a7
908af49857b6f5d1e0384a5e6fc8ee53ca1df077601843ebdd7fc8a4db8bcb12
d3b03f79cf1d088d2ed41e25c961e9945533aeabb93eac2d33ebc4b589ba6172
4751234ac4e1b0a5d4685b870de1ea1a7754258977f5d1d9534631c09c748732
The post New PhaaS Platform Lets Attackers Bypass Two-Factor Authentication appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.