Researchers Observe Evasive New ‘ONNX Store’ Phishing Kit
Researchers believe ONNX Store is likely a rebranding of existing Caffeine phishing kit.
Alan J June 20th, 2024
Share on LinkedInShare on Twitter
Researchers have discovered a new phishing campaign that relies on a phishing-as-a-service platform called ONNX Store, available for purchase over Telegram. ONNX Store appears to be a rebranded version of an already existing phishing kit called Caffeine. The kits share infrastructure and are advertised on the same Telegram channels.
The phishing campaign targets financial institutions with QR codes embedded in PDF attachments. When victims scan these codes with their phones, they are redirected to fake login pages designed to collect login credentials and two-factor authentication keys.
ONNX Store Enables Theft of Credentials in Real Time
Source: blog.eclecticiq.com
ONNX Store offers a variety of powerful phishing tools designed to support cybercriminals, including custom phishing pages, webmail servers, 2FA cookie stealers, and “fully undetectable” referral services that use trusted domains to direct victims to phishing landing pages.
Researchers from EclecticIQ have noticed that threat actors using the ONNX Store phishing kit tend to distribute PDF files as attachments in phishing emails. Impersonating a reputable service, these documents contain a QR code that directs victims to malicious phishing landing pages. This tactic, known as “quishing,” takes advantage of the lack of detection or prevention present on employee’s personal mobile devices, which are usually left unprotected. The lack of protection on mobile devices also makes it challenging to monitor these threats.
The phishing landing pages aim to steal sensitive credentials using the Adversary-in-The-Middle (AiTM) method, which allows for real-time capture and transmission of stolen data without the need for frequent HTTP requests. This makes the phishing operation more efficient and harder to detect.
The ONNX Store Phishing Kit uses encrypted JavaScript code that decrypts itself upon page load and includes a basic anti-JavaScript debugger. This adds a layer of protection against phishing scanners and complicates detection. The decrypted JavaScript code then collects the victims’ network metadata, including details such as browser name, IP address, and location.
The decrypted JavaScript code is designed to steal 2FA tokens entered by the victims. This allows attackers to bypass typical 2FA protection and gain unauthorized access to the victim’s account before it expires.
Researchers identified similarities in domain registrant and SSL issuer across various infrastructures deployed by the ONNX Store phishing kit. These similarities indicated the use of bulletproof hosting services to host the campaign.
Researchers Believe ONNX Store is Rebranding of Caffeine Kit
Researchers have assessed that the ONNX Store phishing kit is likely a rebranding of the Caffeine phishing kit. This assessment is based on the significant overlaps in infrastructure and advertising on the same Telegram channels. This overlap includes the involvement of the Arabic-speaking threat actor MRxC0DER as the likely developer and maintainer behind the Caffeine kit.
Source: blog.eclecticiq.com
The rebranding of the platform appears to be focused on improving operational security for malicious actors. The ONNX Store service enables threat actors to control operations through Telegram bots with an additional support channel to assist clients rather than a single web server. This shift in infrastructure and management makes it more challenging to take down the platform’s phishing domains.
To further increase its resilience, ONNX Store uses Cloudflare services to delay the removal process of its phishing domains. This abuse of Cloudflare’s CAPTCHA feature and IP proxy helps attackers avoid detection through the use of phishing web crawlers and URL sandboxes. This practice also hides the original host and makes it more difficult to take down phishing domains.
Advertised with slogans like “Anything is allowed” and “Ignore all reports of abuse”, these services are designed to support a wide range of illegal activities without the risk of being blocked, creating a safe haven for cybercriminals.