Executive Summary
In February 2024, EclecticIQ analysts discovered phishing campaigns targeting financial institutions. Threat actors employed embedded QR codes in PDF attachments to redirect victims to phishing URLs [1]. These campaigns were driven by a Phishing-as-a-Service (PhaaS) platform called ONNX Store, which operates through a user-friendly interface accessible via Telegram bots, enabling the orchestration of phishing attacks.
Figure 1 - Overview of ONNX store in
EclecticIQ Threat Intelligence Platform
(click on image to open in separate tab).
ONNX Store has a two-factor authentication (2FA) bypass mechanism that intercepts 2FA requests from victims. By bypassing 2FA security, it increases the success rate of business email compromise (BEC) attacks. The phishing pages look like real Microsoft 365 login interfaces, tricking targets into entering their authentication details.
EclecticIQ analysts assess with high confidence that the ONNX Store phishing kit is very likely a rebranded version of the Caffeine phishing kit [2] that Mandiant first discovered in 2022. This assessment is based on the overlaps in infrastructure and advertising on Telegram channels.
Analysts assess with high confidence that the Arabic-speaking threat actor MRxC0DER (also known as mrxcoderxx) is likely the developer and maintainer of the Caffeine kit. This conclusion is based on multiple pieces of evidence, including video demonstrations by the threat actor, where Arabic language settings were observed as the default in the browser during an advertisement video [3].
Analysts assess with medium confidence that ONNX Store is likely managed independently by a new entity without central management, while MRxC0DER is likely responsible for client support. This assessment is based on evidence from publications on the support Telegram account of the ONNX Store.
ONNX Store: Rebranding of Caffeine Phishing-as-a-Service Platform
EclecticIQ analysts assess with high confidence that ONNX Store is a rebranding of the Caffeine platform due to similarities in operational strategies and backend server patterns.
The former Caffeine Telegram channel announced a rebranding update in 2023, stating that the operators adopted a new operational model and launched a new channel called ONNX Store.
Figure 2 – Announcement of rebranding.
Analysts assess that the rebranding is focusing on improved operational security (OPSEC) for malicious actors and services. In contrast to Caffeine, which used a single shared web server for managing all phishing campaigns, the ONNX Store service enables threat actors to control operations through Telegram bots with an additional support channel to assist clients. Observed Telegram support channels and C2 bots include:
- @ONNXIT: A Telegram user (possibly moderated by group of individuals) managing support needs from clients.
- @ONNX2FA_bot: A Telegram bot for clients to receive 2FA codes from successful phishing operations.
- @ONNXNORMAL_bot: A Telegram bot for clients to receive Microsoft Office 365 login credentials.
- @ONNXWEBMAIL_bot: A Telegram bot for clients to control a Webmail server for sending phishing emails.
- @ONNXKITS_BOT: A Telegram bot for clients to make payments for ONNX Store services and track their orders. Services include:
-
- Microsoft Office 365 phishing template generation.
- Webmail service for sending phishing emails and using social engineering lures.
- Bulletproof hosting and RDP services for cybercriminals to manage their operations securely.
Figure 3 – Services from ONNX Store Telegram Bot.
Figure 4 shows error message overlaps between the ONNX and Caffeine phishing kits. Both malicious services utilize similar backend mechanisms to manage access via APIs. When an API key expires or becomes invalid, both platforms display error messages to inform the service client of the need for renewal. Since these services are subscription-based and paid monthly, an expired API key indicates that the client must purchase the service again to continue their phishing activities.
Figure 4 – Backend server similarities
between ONNX and Caffeine PhaaS.
ONNX Store Utilizes Cloudflare to Prevent Phishing Domain Shutdowns
ONNX Store leverages Cloudflare to delay the takedown process of phishing domains. Cloudflare provides legitimate anti-bot CAPTCHA features and IP proxying to protect websites from various threats. Threat actors abuse these features to safeguard their malicious services. Cloudflare's CAPTCHA helps evade detection by phishing website scanners and URL sandboxes. Its IP proxying hides the original hosting provider, making it harder to take down phishing domains created through ONNX Store.
Figure 5 – Phishing page is behind the Cloudflare anti-bot.
ONNX Store offers a variety of phishing tools designed to help cybercriminal activities:
- Webmail Normal service ($150/Month): Offers customizable phishing pages and webmail server.
- Office 2FA Cookie Stealer ($400/Month): A phishing landing page that captures 2FA tokens and cookies from victims, featuring statistics, country blocking, and email grabbing.
- Office Normal package ($200/Month): Enables email credential harvesting capabilities without bypassing 2FA.
- Office Redirect Service ($200/Month): Advertised by ONNX Store as creating “Fully Undetectable (FUD) links”. This service exploits trusted domains, such as bing.com, to redirect victims into attacker controlled phishing landing pages.
Figure 6 shows the different services and their capabilities in detail:
Figure 6 – List of the services in ONNX Store.
Quishing - Delivering Phishing URL via Embedded QR Code in PDF Documents
EclecticIQ analysts observed that threat actors use ONNX Store services to distribute PDF documents via phishing email attachments. These documents impersonate reputable services such as Adobe or Microsoft 365 and use social engineering tactics to masquerade as HR department salary updates or employee handbooks. Each PDF contains a QR code that, once scanned, directs victims to malicious phishing landing pages.
Threat actors prefer QR codes to evade endpoint detection. Since QR codes are typically scanned by mobile phones, many organizations lack detection or prevention capabilities on employees' mobile devices, making it challenging to monitor these threats.
Most observed phishing campaigns target financial institutions, including banks, private funding firms, and credit union service providers across the EMEA and AMER regions.
Figure 7 shows an example of a malicious PDF document targeting Navy Federal Credit Union, which serves members of various branches of the United States Department of Defense personnel, veterans and their families.
Figure 7 – Example of PDF document
with a malicious QR code.
When victims scan the QR code, they are redirected to a phishing landing page controlled by the attacker. This page is designed to steal login credentials and 2FA authentication codes using the Adversary-in-The-Middle (AiTM) method [4].
Figure 8 illustrates a phishing site disguised as a Microsoft 365 login page. When victims enter their credentials, the phishing server collects the stolen information via WebSockets protocol, which allows real-time, two-way communication between the user's browser and the server. Attackers use WebSockets to quickly capture and transmit stolen data without the need for frequent HTTP requests, making the phishing operation more efficient and harder to detect.
EclecticIQ analysts observed that another Phishing-as-a-Service platform, Tycoon [5], also uses a similar AiTM technique with Cloudflare CAPTCHA. This trend indicates a pattern of learning and adaptation among malicious actors, who refine their tactics by emulating successful operations seen in the cybercrime landscape.
Figure 8 – Microsoft 365 phishing landing page.
ONNX Store Phishing Kit Utilizes Encrypted JavaScript Code to Evade Detection
The ONNX Store phishing kit uses encrypted JavaScript code that decrypts itself during page load and includes a basic anti-JavaScript debugging feature. This adds a layer of protection against anti-phishing scanners and complicates analysis.
After the decryption of JavaScript code, EclecticIQ analysts observed that the network metadata of victims such as browser name, IP address and location, was being collected by third party domains such as “httbin[.]org” and “ipapi[.]co” before being sent to threat actors. This data is almost certainly used to track each operation and block specific IP addresses chosen by the attacker.
Figure 9 – Decrypted JavaScript function used
to collect victim’s network metadata.
Decrypted JavaScript Code Captures and Relays 2FA Tokens to Bypass Security Measures
ONNX Store employs a simple encryption method to hide its malicious scripts. The decryption approach is as follows:
- The Encoded string is decoded from Base64.
- Each character of the decoded string is XORed with a character from the hardcoded key, cycling through the key for the decryption.
- The result is a decrypted string (JavaScript code) which is then executed by the browser.
This method can hide malicious scripts within a webpage, making casual inspection more difficult. It can be decrypted easily if the key and the encrypted string are known, as demonstrated in Figure 10.
Figure 10 – JavaScript decryption function in phishing tool.
EclecticIQ analysts observed a functionality within the decrypted JavaScript code specifically designed to steal 2FA tokens entered by the victims.
The section_otp in the code is responsible in capturing 2FA. When a user enters their one-time password (OTP) and clicks the verify button (btn_verifyotp), the script sends the entered OTP to the server using the sendAndReceive() function. If the response indicates a valid OTP, the user is redirected to another page. If an error occurs (e.g., wrong OTP), appropriate error messages are displayed, prompting the user to try again.
Figure 11 – Handling the 2FA/OTP Verification Process.
The phishing page captures this information and immediately relays it to the attacker. The attacker then uses the stolen credentials and 2FA token in real-time to log into the legitimate service, bypassing the 2FA protection. This real-time relay of credentials allows the attacker to gain unauthorized access to the victim's account before the 2FA token expires, circumventing multi-factor authentication.
Bulletproof Hosting for Cyber Criminals
EclecticIQ analysts identified similarities in domain registrant and SSL Issuer across various infrastructures deployed by the ONNX Store phishing kit. Specifically, the SSL issuer for these infrastructures was GTS CA 1P5 from Google Trust Services LLC. Additionally, most of the domains were registered through NameSilo and EVILEMPIRE-AS.
Figure 12 – Infrastructure similarities in
ONNX Store deployed domains.
Bulletproof hosting services, like those advertised by ONNX Store, offer cybercriminals a haven for malicious activities. Promoted with slogans like "Everything is allowed" and "Ignore all abuse reports," these services are designed to support a wide range of illegal operations without the threat of being shut down.
An advertisement identified in a Telegram group, shown in figure 13, announces a Bulletproof hosting service currently under development, accessible through RDP (Remote Desktop Protocol) sessions. Marketed not only for phishing but for a wider range of malicious campaigns with high-performance features including enhanced RAM, CPU, and SSD speeds and unlimited bandwidth. The Bulletproof hosting service advertising highlights ease of management via automated bots and continuous availability, making it a powerful tool for various malicious online activities.
Figure 13- Bulletproof RDP Hosting advertisement
in ONNX Store Telegram group.
Credential Theft and Ransomware: The Broader Impact of Phishing Toolkits
Financially motivated cyber criminals are developing phishing toolkit services like ONNX Store to assist other threat actors and generate revenue from their services. These platforms allow various cybercriminals to easily launch phishing campaigns, utilizing features such as 2FA bypass mechanisms and realistic phishing pages. They also offer a level of operational security that can hide the true identity of whomever is running the campaign.
Stolen email credentials obtained through these phishing campaigns are often sold on underground forums [6]. Ransomware groups find these credentials highly valuable, using them as an initial compromise vector to infiltrate targeted organizations. This highlights the broader implications of such phishing platforms, as they not only enable immediate financial gains through credential theft but also contribute to domain-level compromise like ransomware attacks.
Prevention Strategies & Detection Opportunities
Figure 14 lists countermeasures and prevention methods to combat threats posed by the ONNX Store phishing kits. Each row in the chart outlines a unique threat tradecraft used by the phishing kit, paired with prevention methods.
The strategies span from technical measures, such as implementing DNSSEC to block typo-squatted domains, to organizational practices like employee education on the dangers of embedded QR codes in PDF documents.
Figure 14 - Prevention methods against
ONNX Store Phishing kit.
YARA Rules
- HUNT_CRIME_ONNX_PHISHING_URL: This rule is designed for threat hunting against possible phishing domains that use ONNX Store APIs. It searches for specific patterns associated with ONNX Store, such as default API error messages and Telegram support link, which appear when a threat actor's monthly payment for the service has not been renewed.
rule HUNT_CRIME_ONNX_PHISHING_URL
{
meta:
description = "Searches for default ONNX Store API error"
author = "Arda Buyukkaya"
date = "2024-05-23"
hash = "77e03c77a2bdbc09d5279fa316a35db0"
strings:
$contact_link = "https://t.me/ONNXIT"
$support_message = "Please contact <a href='https://t.me/ONNXIT'>ONNX SUPPORT</a>"
$expired_api = "Your API has been expired"
condition:
all of them
} - MAL_CRIME_ONNX_Store_Phishing_PDF_QR: This YARA rule is designed to detect potentially malicious PDF files containing QR codes by examining their structural patterns. It focuses on identifying the use of the open-source HTML to PDF converter "dompdf" within the metadata section of the PDF file.
rule MAL_CRIME_ONNX_Store_Phishing_PDF_QR
{
meta:
description = "Detects potentially malicious PDFs based on structural patterns"
author = "Arda Buyukkaya"
date = "2024-05-17"
hash = "0250a5ba26791e7ffddb4b294d486479"
strings:
$pdf = "%PDF-"
$magic_classic = "%!FontType1-1."
$magic_font = /obj\s*<<[^>]*\/Type\s*\/Font[^>]*\/Subtype\s*\/Type1/
$magic_font2 = /obj\s*<<[^>]*\/Subtype\s*\/Type1[^>]*\/Type\s*\/Font/
$dompdf = {64 00 6F 00 6D 00 70 00 64 00 66 00 20 00 2B 00 20 00 43 00 50 00 44 00 46}
$dompdf2 = {64 00 6F 00 6D 00 70 00 64 00 66 00 20 00 32 00 2E 00 30 00 2E 00 30 00 20 00 2B 00 20 00 43 00 50 00 44 00 46 29}
$QR = {2F 4D 65 64 69 61 42 6F 78 20 5B 30 2E 30 30 30}
condition:
$magic_classic in (0..1024) or ($pdf in (0..1024) and any of ($magic_font*))
and 1 of ($dompdf*) and $QR
}
Indicator of Compromise (IOCs)
Phishing URLs
- authmicronlineonfication[.]com
- verify-office-outlook[.]com
- stream-verify-login[.]com
- zaq[.]gletber[.]com
- v744[.]r9gh2[.]com
- bsifinancial019[.]ssllst[.]cloud
- 473[.]kernam[.]com
- docusign[.]multiparteurope[.]com
- 56789iugtfrd5t69i9ei9die9di9eidy7u889[.]rhiltons[.]com
- agchoice[.]us-hindus[.]com
Malicious PDF Files
- 432b1b688e21e43d2ccc68e040b3ecac4734b7d1d4356049f9e1297814627cb3
- 47b12127c3d1d2af24f6d230e8e86a7b0c661b4e70ba3b77a9beca4998a491ea
- 51fdaa65511e7c3a8d4d08af59d310a2ad8a18093ca8d3c817147d79a89f44a1
- f99b01620ef174bb48e22e54327ca9cffa4520868f49a41c524b81ab6d935070
- 52e04c615b08af10b4982506c1cee74cb062116d31f0300ed027f6efd3119b1a
- 3d58733b646431a60d39394be99ff083d6db3583796b503e8422baebed8d097e
- 702008cae9a145741e817e6c6566cd1d79c737d51b718f13a2d16d72a00cd5a7
- 908af49857b6f5d1e0384a5e6fc8ee53ca1df077601843ebdd7fc8a4db8bcb12
- d3b03f79cf1d088d2ed41e25c961e9945533aeabb93eac2d33ebc4b589ba6172
- 4751234ac4e1b0a5d4685b870de1ea1a7754258977f5d1d9534631c09c748732
ONNX Store API Error Page (When the monthly payment for the service is not renewed this error was displayed as static data):
- 0f5be6f53fe198ca32d82a75339fe832b70d676563ce8b7ca446d1902b926856
Admin panel of ONNX Store (medium confidence):
- Onnx[.]su
- 5[.]181[.]156[.]247
Figure 15 - Possible Server Used for ONNX Store
API management by the Admin.
MITRE ATT&CK
- T1566.001 - Spearphishing Attachment
- T1204 - User Execution
- T1539 - Steal Web Session Cookie
- T1567 - Exfiltration Over Web Service
- T1132.001 - Data Encoding: Standard Encoding
- T1027 - Obfuscated Files or Information
- T1090.004 - Proxy: Domain Fronting
- T1114 - Email Collection
- T1557 - Adversary-in-the-Middle
Structured Data
Find this and other research in our public TAXII collection for easy use in your security stack: https://cti.eclecticiq.com/taxii/discovery.
Please refer to our support page for guidance on how to access the feeds.
About EclecticIQ Intelligence & Research Team
EclecticIQ is a global provider of threat intelligence, hunting, and response technology and services. Headquartered in Amsterdam, the EclecticIQ Intelligence & Research Team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.
We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com.
You might also be interested in
Introducing EclecticIQ Threat Scout
EclecticIQ Intelligence Center 3.3 is here
References
[1] “What is quishing.” Accessed: May 28, 2024. [Online]. Available: https://www.cloudflare.com/learning/security/what-is-quishing/
[2] “Caffeine Phishing-as-a-Service Platform | Fresh Phish Market,” Google Cloud Blog. Accessed: Jun. 04, 2024. [Online]. Available: https://cloud.google.com/blog/topics/threat-intelligence/caffeine-phishing-service-platform
[3] “caffeinestore | CraxTube - Tutorials & Guides | Crack, Spam, Card & Hack.” Accessed: May 28, 2024. [Online]. Available: https://crax.tube/@caffeinestore
[4] “What Is An Adversary-in-the-Middle (AitM) Attack?,” SentinelOne. Accessed: May 08, 2024. [Online]. Available: https://www.sentinelone.com/cybersecurity-101/what-is-an-adversary-in-the-middle-aitm-attack/
[5] S. TDR, Q. Bourgue, and S. T. and Q. Bourgue, “Tycoon 2FA: an in-depth analysis of the latest version of the AiTM phishing kit,” Sekoia.io Blog. Accessed: May 28, 2024. [Online]. Available: https://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/
[6] “Sale of Stolen Credentials and Initial Access Dominate Dark Web Markets.” Accessed: May 28, 2024. [Online]. Available: https://www.darkreading.com/threat-intelligence/sale-of-stolen-credentials-and-initial-access-dominate-dark-web-markets