Learn about the new ONNX Store cyber threat that is actively targeting financial institutions around the world. This article provides a detailed analysis of the mechanisms of the threat and its potential impact on the financial sector. Possible consequences for security systems and financial data are considered, as well as recommendations for protection against such attacks are provided.
In February 2024, phishing campaigns targeting financial institutions were discovered. Attackers used QR codes in attached PDF files to redirect victims to phishing URLs. The campaigns were carried out through a Phishing-as-a-Service (PhaaS) platform called the ONNX Store, with an interface accessible through bots on Telegram to orchestrate the attacks.
ONNX Store uses a two-factor authentication (2FA) bypass mechanism that allows interception of 2FA requests and increases the success rate of business email (BEC) attacks. Phishing pages resemble Microsoft 365 login interfaces, tricking users into entering data.
The ONNX Store is likely a rebrand of the Caffeine phishing kit discovered in 2022. Arabic-speaking threat actor MRxC0DER is believed to be developing this set. He is also believed to be in charge of customer support for the ONNX Store, according to messages on the store’s Telegram account.
The ONNX Store is likely a rebrand of the Caffeine platform, based on similarities in operating strategies and server templates. In 2023, the former Caffeine Telegram channel announced a change in operating model and the launch of a new channel called the ONNX Store.
The rebranding of the platform is focused on improving operational security (OPSEC) for attackers and services. While Caffeine previously used a shared web server to manage phishing campaigns, the ONNX Store allows attackers to control operations through Telegram bots. In addition, a separate support channel is provided to assist customers.
@ONNXIT: A Telegram user (possibly moderated by a group of individuals) who manages customer support needs.
@ONNX2FA_bot: A Telegram bot for customers that retrieves 2FA codes from successful phishing operations.
@ONNXNORMAL_bot: A Telegram bot for customers that retrieves Microsoft Office 365 login credentials.
@ONNXWEBMAIL_bot: A Telegram bot for clients that controls the webmail server to send phishing emails.
@ONNXKITS_BOT: Telegram bot for customers to make payments for ONNX Store services and track their orders. Services include:
Creating a Microsoft Office 365 phishing template.
A webmail service for sending phishing emails and using social engineering lures.
Bulletproof hosting and RDP services for cybercriminals to manage their operations securely.
Figure 4 shows the similarities between the bugs in the ONNX and Caffeine phishing kits. Both platforms use similar backend mechanisms to manage API access. When the API key expires or becomes invalid, a message is displayed asking for renewal. Since these services operate on a subscription model, an expired API key means that the customer must purchase a new subscription to continue phishing operations.
Attackers abuse Cloudflare’s CAPTCHA and IP proxy features to protect their malicious sites. CAPTCHA helps avoid detection by phishing scanners, and IP proxy hides the original hosting provider, making it difficult to remove phishing domains associated with ONNX Store.
ONNX Store offers a variety of phishing tools designed to combat cybercriminals:
Basic Webmail ($150/month): Offers customized phishing pages and a webmail server.
Office 2FA Cookie Stealer ($400/month): A phishing landing page that captures 2FA tokens and cookies from victims, revealing statistics, country blocking, and email interception.
Regular Office Suite ($200/month): Allows you to collect email credentials without bypassing 2FA.
Office Redirect Service ($200/month): Advertised by the ONNX Store as creating “Completely Undefinable (FUD) Links”. This service uses trusted domains such as bing.com to redirect victims to attacker-controlled phishing landing pages.
Figure 6 shows the various services and their capabilities in detail:
Attackers use the ONNX Store to distribute phishing PDF documents via email, posing as Adobe or Microsoft 365 materials. The documents are disguised as personnel updates or employee handbooks and contain QR codes that, when scanned, lead to malicious phishing pages. Using QR codes avoids detection at endpoints, as mobile devices often have limited threat monitoring capabilities.
Most of these attacks target banks and financial institutions in the EMEA and AMER regions.
When victims scan the QR code, they are taken to a phishing page designed to steal credentials and 2FA codes via the Adversary-in-The-Middle (AiTM) technique. A phishing site masquerading as a Microsoft 365 login page collects input in real-time using WebSockets, allowing the stolen information to be transmitted quickly and making the operation less visible.
Another Phishing-as-a-Service platform, Tycoon, also uses the AiTM technique in conjunction with Cloudflare CAPTCHA, suggesting that attackers are learning and adapting their tactics by mimicking successful cybercriminal operations.
The ONNX Store Phishing Kit uses encrypted JavaScript code that is decrypted when the page is loaded and includes a debugging feature to protect against scanners. This makes analysis and detection difficult. After decryption, victims’ metadata such as IP address, browser name and location are collected through third-party domains such as “httbin[.]org” and “ipapi[.]co”. This data is used to track operations and block certain IP addresses.
ONNX Store uses a simple encryption method to hide malicious scripts. The approach to decryption is as follows:
The Encoded string is decoded from Base64.
Each symbol of the decoded string is XORed with a symbol from the hardcoded key, looping through the decryption key.
The result is a decoded string (JavaScript code), which is then executed by the browser.
This method can hide malicious scripts on a web page, making it difficult for casual inspection. It can be easily decrypted if the key and encrypted string are known, as shown in Figure 10.
Functionality for stealing user-entered 2FA tokens was discovered in the decrypted ONNX Store JavaScript code. The section of code responsible for capturing the OTP sends the entered OTP to the server via the sendAndReceive() function. If the password is correct, the user is redirected to another page, and in case of an error, a message appears asking to try again.
The phishing page instantly transmits the credentials and 2FA token to the attacker, who uses them in real time to log into legitimate services, bypassing 2FA protection. This method allows unauthorized access to accounts before the token expires.
The similarity between the domain registrant and the SSL issuer in the ONNX Store infrastructures indicates the use of GTS CA 1P5 from Google Trust Services LLC as the SSL issuer. Most of the domains were registered through NameSilo and EVILEMPIRE-AS.
Bulletproof hosting services like those offered by the ONNX Store provide cybercriminals with a safe haven for malicious operations. Advertised with slogans like “Anything is allowed” and “Ignore all reports”, these hosts support illegal activities without the threat of being banned.
An ad spotted on Telegram mentions a bulletproof hosting service accessible via RDP sessions. It is not only suitable for phishing, but also for other malicious campaigns, offering high performance with improved CPU, RAM, SSD options and unlimited bandwidth managed through automated bots.
Financially motivated cybercriminals create services like the ONNX Store to help other criminals and generate income. These platforms make it easy to launch phishing campaigns with features such as 2FA bypass and realistic login pages, while ensuring the anonymity of the perpetrators. Stolen credentials are often sold on underground forums and used by ransomware groups to further infiltrate organizations.
Figure 14 presents countermeasures to prevent ONNX Store phishing threats. This includes technical methods, such as implementing DNSSEC to block malicious domains, and organizational practices, such as educating employees about the dangers of QR codes in PDF documents.
HUNT_CRIME_ONNX_PHISHING_URL: This rule is designed to hunt threats against possible phishing domains that use the ONNX Store API. It looks for certain patterns related to the ONNX Store, such as default API error messages and Telegram support links that appear when a threat member’s monthly payment for the service has not been renewed.
MAL_CRIME_ONNX_Store_Phishing_PDF_QR: This YARA rule is designed to detect potentially malicious PDF files that contain QR codes by examining their structural patterns. It focuses on detecting the use of the open source HTML to PDF converter “dompdf” in the metadata section of a PDF file.
Phishing URLs:
authmicronlineonfication[.]com
verify-office-outlook[.]com
stream-verify-login[.]com
zaq[.]gletber[.]com
v744[.]r9gh2[.]com
bsifinancial019[.]ssllst[.]хмара
473[.]kernam[.]com
docusign[.]multiparteurope[.]com
56789iugtfrd5t69i9ei9die9di9eidy7u889[.]rhiltons[.]com
agchoice[.]us-hindus[.]com
432b1b688e21e43d2ccc68e040b3ecac4734b7d1d4356049f9e1297814627cb3
47b12127c3d1d2af24f6d230e8e86a7b0c661b4e70ba3b77a9beca4998a491ea
51fdaa65511e7c3a8d4d08af59d310a2ad8a18093ca8d3c817147d79a89f44a1
f99b01620ef174bb48e22e54327ca9cffa4520868f49a41c524b81ab6d935070
52e04c615b08af10b4982506c1cee74cb062116d31f0300ed027f6efd3119b1a
3d58733b646431a60d39394be99ff083d6db3583796b503e8422baebed8d097e
702008cae9a145741e817e6c6566cd1d79c737d51b718f13a2d16d72a00cd5a7
908af49857b6f5d1e0384a5e6fc8ee53ca1df077601843ebdd7fc8a4db8bcb12
d3b03f79cf1d088d2ed41e25c961e9945533aeabb93eac2d33ebc4b589ba6172
4751234ac4e1b0a5d4685b870de1ea1a7754258977f5d1d9534631c09c748732
ONNX Store API error page (When the monthly service payment was not renewed, this error was displayed as static data):
0f5be6f53fe198ca32d82a75339fe832b70d676563ce8b7ca446d1902b92685
Onnx[.]su
5[.]181[.]156[.]247
T1566.001 – Application for underwater phishing
T1204 – Execution by the user
T1539 – Web session cookie hijacking
T1567 – Hijacking via web service
T1132.001 – Data coding: standard coding
T1027 – Obfuscated files or information
T1090.004 – Proxy: domain fronting
T1114 – Collection of e-mails
T1557 – Enemy in the middle