ONNX Store, the new cyber threat to financial institutions

17 September 2024 10 minutes Author: Cyber Witcher

Learn about the new ONNX Store cyber threat that is actively targeting financial institutions around the world. This article provides a detailed analysis of the mechanisms of the threat and its potential impact on the financial sector. Possible consequences for security systems and financial data are considered, as well as recommendations for protection against such attacks are provided.

Resume

In February 2024, phishing campaigns targeting financial institutions were discovered. Attackers used QR codes in attached PDF files to redirect victims to phishing URLs. The campaigns were carried out through a Phishing-as-a-Service (PhaaS) platform called the ONNX Store, with an interface accessible through bots on Telegram to orchestrate the attacks.

Overview of the ONNX Store on the EclecticIQ Threat Intelligence Platform (click image to open separate tab).

ONNX Store uses a two-factor authentication (2FA) bypass mechanism that allows interception of 2FA requests and increases the success rate of business email (BEC) attacks. Phishing pages resemble Microsoft 365 login interfaces, tricking users into entering data.

The ONNX Store is likely a rebrand of the Caffeine phishing kit discovered in 2022. Arabic-speaking threat actor MRxC0DER is believed to be developing this set. He is also believed to be in charge of customer support for the ONNX Store, according to messages on the store’s Telegram account.

ONNX Store: rebranding of the Caffeine Phishing-as-a-Service platform

The ONNX Store is likely a rebrand of the Caffeine platform, based on similarities in operating strategies and server templates. In 2023, the former Caffeine Telegram channel announced a change in operating model and the launch of a new channel called the ONNX Store.

Rebranding announcement.

The rebranding of the platform is focused on improving operational security (OPSEC) for attackers and services. While Caffeine previously used a shared web server to manage phishing campaigns, the ONNX Store allows attackers to control operations through Telegram bots. In addition, a separate support channel is provided to assist customers.

  • @ONNXIT: A Telegram user (possibly moderated by a group of individuals) who manages customer support needs.

  • @ONNX2FA_bot: A Telegram bot for customers that retrieves 2FA codes from successful phishing operations.

  • @ONNXNORMAL_bot: A Telegram bot for customers that retrieves Microsoft Office 365 login credentials.

  • @ONNXWEBMAIL_bot: A Telegram bot for clients that controls the webmail server to send phishing emails.

  • @ONNXKITS_BOT: Telegram bot for customers to make payments for ONNX Store services and track their orders. Services include:

  1. Creating a Microsoft Office 365 phishing template.

  2. A webmail service for sending phishing emails and using social engineering lures.

  3. Bulletproof hosting and RDP services for cybercriminals to manage their operations securely.

Services from ONNX Store Telegram Bot.

Figure 4 shows the similarities between the bugs in the ONNX and Caffeine phishing kits. Both platforms use similar backend mechanisms to manage API access. When the API key expires or becomes invalid, a message is displayed asking for renewal. Since these services operate on a subscription model, an expired API key means that the customer must purchase a new subscription to continue phishing operations.

Backend server similarities between ONNX and Caffeine PhaaS.

ONNX Store uses Cloudflare to delay the removal of phishing domains

Attackers abuse Cloudflare’s CAPTCHA and IP proxy features to protect their malicious sites. CAPTCHA helps avoid detection by phishing scanners, and IP proxy hides the original hosting provider, making it difficult to remove phishing domains associated with ONNX Store.

The phishing page is behind the Cloudflare antibot.

ONNX Store offers a variety of phishing tools designed to combat cybercriminals:

  • Basic Webmail ($150/month): Offers customized phishing pages and a webmail server.

  • Office 2FA Cookie Stealer ($400/month): A phishing landing page that captures 2FA tokens and cookies from victims, revealing statistics, country blocking, and email interception.

  • Regular Office Suite ($200/month): Allows you to collect email credentials without bypassing 2FA.

  • Office Redirect Service ($200/month): Advertised by the ONNX Store as creating “Completely Undefinable (FUD) Links”. This service uses trusted domains such as bing.com to redirect victims to attacker-controlled phishing landing pages.

Figure 6 shows the various services and their capabilities in detail:

List of services in ONNX Store.

Quishing – Delivery of a phishing URL via an embedded QR code in PDF documents

Attackers use the ONNX Store to distribute phishing PDF documents via email, posing as Adobe or Microsoft 365 materials. The documents are disguised as personnel updates or employee handbooks and contain QR codes that, when scanned, lead to malicious phishing pages. Using QR codes avoids detection at endpoints, as mobile devices often have limited threat monitoring capabilities.

Most of these attacks target banks and financial institutions in the EMEA and AMER regions.

Example of a PDF document with a malicious QR code.

When victims scan the QR code, they are taken to a phishing page designed to steal credentials and 2FA codes via the Adversary-in-The-Middle (AiTM) technique. A phishing site masquerading as a Microsoft 365 login page collects input in real-time using WebSockets, allowing the stolen information to be transmitted quickly and making the operation less visible.

Another Phishing-as-a-Service platform, Tycoon, also uses the AiTM technique in conjunction with Cloudflare CAPTCHA, suggesting that attackers are learning and adapting their tactics by mimicking successful cybercriminal operations.

Microsoft 365 phishing landing page.

ONNX Store Phishing Kit uses encrypted JavaScript code to avoid detection

The ONNX Store Phishing Kit uses encrypted JavaScript code that is decrypted when the page is loaded and includes a debugging feature to protect against scanners. This makes analysis and detection difficult. After decryption, victims’ metadata such as IP address, browser name and location are collected through third-party domains such as “httbin[.]org” and “ipapi[.]co”. This data is used to track operations and block certain IP addresses.

A decrypted JavaScript function used to collect the victim’s network metadata.

The decrypted JavaScript captures and transmits 2FA tokens to bypass security measures

ONNX Store uses a simple encryption method to hide malicious scripts. The approach to decryption is as follows:

  • The Encoded string is decoded from Base64.

  • Each symbol of the decoded string is XORed with a symbol from the hardcoded key, looping through the decryption key.

  • The result is a decoded string (JavaScript code), which is then executed by the browser.

This method can hide malicious scripts on a web page, making it difficult for casual inspection. It can be easily decrypted if the key and encrypted string are known, as shown in Figure 10.

JavaScript decryption function in phishing toolу.

Functionality for stealing user-entered 2FA tokens was discovered in the decrypted ONNX Store JavaScript code. The section of code responsible for capturing the OTP sends the entered OTP to the server via the sendAndReceive() function. If the password is correct, the user is redirected to another page, and in case of an error, a message appears asking to try again.

Handling the 2FA/OTP verification process.

The phishing page instantly transmits the credentials and 2FA token to the attacker, who uses them in real time to log into legitimate services, bypassing 2FA protection. This method allows unauthorized access to accounts before the token expires.

Bulletproof hosting

The similarity between the domain registrant and the SSL issuer in the ONNX Store infrastructures indicates the use of GTS CA 1P5 from Google Trust Services LLC as the SSL issuer. Most of the domains were registered through NameSilo and EVILEMPIRE-AS.

Infrastructure similarities in deployed ONNX Store domains.

Bulletproof hosting services like those offered by the ONNX Store provide cybercriminals with a safe haven for malicious operations. Advertised with slogans like “Anything is allowed” and “Ignore all reports”, these hosts support illegal activities without the threat of being banned.

An ad spotted on Telegram mentions a bulletproof hosting service accessible via RDP sessions. It is not only suitable for phishing, but also for other malicious campaigns, offering high performance with improved CPU, RAM, SSD options and unlimited bandwidth managed through automated bots.

Advertisement Bulletproof RDP Hosting in ONNX Store Telegram group.

Credential Theft and Ransomware: The Impact of Phishing Platforms

Financially motivated cybercriminals create services like the ONNX Store to help other criminals and generate income. These platforms make it easy to launch phishing campaigns with features such as 2FA bypass and realistic login pages, while ensuring the anonymity of the perpetrators. Stolen credentials are often sold on underground forums and used by ransomware groups to further infiltrate organizations.

Prevention and detection strategies

Figure 14 presents countermeasures to prevent ONNX Store phishing threats. This includes technical methods, such as implementing DNSSEC to block malicious domains, and organizational practices, such as educating employees about the dangers of QR codes in PDF documents.

Methods to prevent ONNX Store Phishing recruitment.

YARA Rules

  • HUNT_CRIME_ONNX_PHISHING_URL: This rule is designed to hunt threats against possible phishing domains that use the ONNX Store API. It looks for certain patterns related to the ONNX Store, such as default API error messages and Telegram support links that appear when a threat member’s monthly payment for the service has not been renewed.

  • MAL_CRIME_ONNX_Store_Phishing_PDF_QR: This YARA rule is designed to detect potentially malicious PDF files that contain QR codes by examining their structural patterns. It focuses on detecting the use of the open source HTML to PDF converter “dompdf” in the metadata section of a PDF file.

Indicator of Compromise (IOC)

Phishing URLs:

  • authmicronlineonfication[.]com 

  • verify-office-outlook[.]com 

  • stream-verify-login[.]com 

  • zaq[.]gletber[.]com 

  • v744[.]r9gh2[.]com 

  • bsifinancial019[.]ssllst[.]хмара 

  • 473[.]kernam[.]com 

  • docusign[.]multiparteurope[.]com 

  • 56789iugtfrd5t69i9ei9die9di9eidy7u889[.]rhiltons[.]com 

  • agchoice[.]us-hindus[.]com 

Malicious PDF files

  • 432b1b688e21e43d2ccc68e040b3ecac4734b7d1d4356049f9e1297814627cb3 

  • 47b12127c3d1d2af24f6d230e8e86a7b0c661b4e70ba3b77a9beca4998a491ea 

  • 51fdaa65511e7c3a8d4d08af59d310a2ad8a18093ca8d3c817147d79a89f44a1 

  • f99b01620ef174bb48e22e54327ca9cffa4520868f49a41c524b81ab6d935070 

  • 52e04c615b08af10b4982506c1cee74cb062116d31f0300ed027f6efd3119b1a 

  • 3d58733b646431a60d39394be99ff083d6db3583796b503e8422baebed8d097e 

  • 702008cae9a145741e817e6c6566cd1d79c737d51b718f13a2d16d72a00cd5a7 

  • 908af49857b6f5d1e0384a5e6fc8ee53ca1df077601843ebdd7fc8a4db8bcb12 

  • d3b03f79cf1d088d2ed41e25c961e9945533aeabb93eac2d33ebc4b589ba6172 

  • 4751234ac4e1b0a5d4685b870de1ea1a7754258977f5d1d9534631c09c748732 

ONNX Store API error page (When the monthly service payment was not renewed, this error was displayed as static data):

  • 0f5be6f53fe198ca32d82a75339fe832b70d676563ce8b7ca446d1902b92685

ONNX Store Admin Panel (Medium Confidence):

  • Onnx[.]su 

  • 5[.]181[.]156[.]247 

Possible server used by admin to manage ONNX Store API.

МІТР АТТ&СК 

  • T1566.001 – Application for underwater phishing

  • T1204 – Execution by the user

  • T1539 – Web session cookie hijacking

  • T1567 – Hijacking via web service

  • T1132.001 – Data coding: standard coding

  • T1027 – Obfuscated files or information

  • T1090.004 – Proxy: domain fronting

  • T1114 – Collection of e-mails

  • T1557 – Enemy in the middle

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.