Back

ONNX Store: Phishing-as-a-Service Platform Targeting Financial Institution

July 2, 2024, 3:51 p.m.

Tags

phishing
credential theft
cybercrime
2024-07-02
onnx store
qrcode
caffeine
fintech

External References

https://blog.eclecticiq.com/

https://otx.alienvault.com/

Description

This intelligence report analyzes the ONNX Store, a phishing-as-a-service platform targeting financial institutions through embedded QR codes in PDF attachments redirecting victims to phishing sites. The report details the platform's features, including two-factor authentication bypass, realistic Microsoft 365 phishing pages, and use of Cloudflare to evade detection. It assesses with high confidence that ONNX Store is a rebranding of the Caffeine phishing kit, likely developed and maintained by the Arabic-speaking threat actor MRxC0DER. The report also covers prevention strategies, detection opportunities, and provides indicators of compromise.

Date

Published Created Modified
July 2, 2024, 3:45 p.m. July 2, 2024, 3:45 p.m. July 2, 2024, 3:51 p.m.

Indicators

f99b01620ef174bb48e22e54327ca9cffa4520868f49a41c524b81ab6d935070

d3b03f79cf1d088d2ed41e25c961e9945533aeabb93eac2d33ebc4b589ba6172

908af49857b6f5d1e0384a5e6fc8ee53ca1df077601843ebdd7fc8a4db8bcb12

702008cae9a145741e817e6c6566cd1d79c737d51b718f13a2d16d72a00cd5a7

52e04c615b08af10b4982506c1cee74cb062116d31f0300ed027f6efd3119b1a

51fdaa65511e7c3a8d4d08af59d310a2ad8a18093ca8d3c817147d79a89f44a1

47b12127c3d1d2af24f6d230e8e86a7b0c661b4e70ba3b77a9beca4998a491ea

4751234ac4e1b0a5d4685b870de1ea1a7754258977f5d1d9534631c09c748732

432b1b688e21e43d2ccc68e040b3ecac4734b7d1d4356049f9e1297814627cb3

3d58733b646431a60d39394be99ff083d6db3583796b503e8422baebed8d097e

0f5be6f53fe198ca32d82a75339fe832b70d676563ce8b7ca446d1902b926856

5.181.156.247

https://crax.tube/@caffeinestore

Attack Patterns

Caffeine

MRxC0DER

T1090.004

T1132.001

T1539

T1557

T1567

T1114

T1566.001

T1204

T1027

Additional Informations

Finance