EclecticIQ researchers reveal that ONNX Store is a Phishing-as-a-Service platform that rebrands the Caffeine kit to orchestrate targeted phishing campaigns against financial institutions, controlled via Telegram bots and QR-coded PDFs. The operation features 2FA bypass, AiTM landing pages, encrypted JavaScript, and a suite of services (Webmail, 2FA cookie theft, RDP hosting) to enable, scale, and conceal credential theft and account compromise. #MRxC0DER #Caffeine #ONNXStore #AiTM #NavyFederalCreditUnion #Cloudflare
Keypoints
- ONNX Store is a Phishing-as-a-Service platform that appears to be a rebranding of the Caffeine phishing kit, with management via Telegram channels and bots.
- It includes a 2FA bypass mechanism that intercepts 2FA requests from victims to improve the success rate of BEC attacks.
- Phishing pages impersonate Microsoft 365 and other services, delivered via PDF attachments with embedded QR codes directing to malicious landing pages.
- Attackers use AiTM-style landing pages and WebSockets to capture credentials in real time, enabling immediate account access.
- ONNX Store offers multiple services (Webmail phishing, Office credential harvesting, 2FA cookie stealing, redirects) and bulletproof hosting to support operations.
- Cloudflare is leveraged to delay phishing domain shutdowns, hiding traffic via anti-bot CAPTCHAs and IP proxying.
- Extensive IOCs include phishing URLs, domains, and numerous file hashes associated with ONNX Store phishing kits.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – The phishing PDFs are distributed via email attachments through ONNX Store services, impersonating reputable services like Adobe or Microsoft 365. ‘threat actors use ONNX Store services to distribute PDF documents via phishing email attachments. These documents impersonate reputable services such as Adobe or Microsoft 365…’
- [T1204] User Execution – Phishing pages look like real Microsoft 365 login interfaces, tricking targets into entering their authentication details. ‘phishing pages look like real Microsoft 365 login interfaces, tricking targets into entering their authentication details.’
- [T1539] Steal Web Session Cookie – Attackers use stolen credentials and 2FA tokens to access accounts in real time. ‘the attacker uses stolen credentials and 2FA token in real-time to log into the legitimate service…’
- [T1567] Exfiltration Over Web Service – Data is collected and transmitted via web protocols (WebSockets) to attackers. ‘phishing server collects stolen information via WebSockets protocol, which allows real-time, two-way communication…’
- [T1132.001] Data Encoding: Standard Encoding – Encoded strings are decoded during decryption of malicious scripts. ‘Encoded string is decoded from Base64.’
- [T1027] Obfuscated Files or Information – The kit uses encrypted JavaScript that decrypts on page load to hinder analysis. ‘encrypted JavaScript code that decrypts itself during page load…’
- [T1090.004] Proxy: Domain Fronting – Infrastructure relies on proxy techniques to hide hosting and traffic. ‘Proxy: Domain Fronting’ (as noted in related infrastructure descriptions).
- [T1114] Email Collection – ONNX Store services include capabilities for harvesting email credentials and related data. ‘Office Normal package ($200/Month): Enables email credential harvesting capabilities without bypassing 2FA.’
- [T1557] Adversary-in-The-Middle – AiTM-style phishing pages capture credentials and 2FA tokens in real time. ‘Adversary-in-The-Middle (AiTM) method.’
Indicators of Compromise
- [URL] Phishing URLs – authmicronlineonfication[.]com, verify-office-outlook[.]com, stream-verify-login[.]com, zaq[.]gletber[.]com
- [Domain] Phishing infrastructure domains – onnx[.]su, 5[.]181[.]156[.]247, ONNXIT Telegram handle (for support)
- [File Hash] Malicious payloads – 432b1b688e21e43d2ccc68e040b3ecac4734b7d1d4356049f9e1297814627cb3, 47b12127c3d1d2af24f6d230e8e86a7b0c661b4e70ba3b77a9beca4998a491ea
Read more: https://blog.eclecticiq.com/onnx-store-targeting-financial-institution