216.73.217.22

ONNX Store: Phishing-as-a-Service Platform Targeting Financial Institution

· Published 02/07/2024 15:45 · Modified 02/07/2024 15:51

Export JSON

Essential information

Published
02/07/2024 15:45
Modified
02/07/2024 15:51
Tags
2024-07-02 caffeine credential-theft cybercrime fintech onnx store phishing qrcode
Related entities
25 observables, 1 intrusion sets (apt), 9 techniques (mitre), 1 malware, 1 others

Description

This intelligence report analyzes the , a -as-a-service platform targeting financial institutions through embedded QR codes in PDF attachments redirecting victims to sites. The report details the platform's features, including two-factor authentication bypass, realistic Microsoft 365 pages, and use of Cloudflare to evade detection. It assesses with high confidence that is a rebranding of the kit, likely developed and maintained by the Arabic-speaking threat actor MRxC0DER. The report also covers prevention strategies, detection opportunities, and provides indicators of compromise.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (25)

  • 5.181.156.247
  • https://crax.tube/@caffeinestore
  • zaq.gletber.com
  • v744.r9gh2.com
  • docusign.multiparteurope.com
  • bsifinancial019.ssllst.cloud
  • agchoice.us-hindus.com
  • 473.kernam.com
  • 56789iugtfrd5t69i9ei9die9di9eidy7u889.rhiltons.com
  • verify-office-outlook.com
  • stream-verify-login.com
  • httbin.org
  • crax.tube
  • authmicronlineonfication.com
  • f99b01620ef174bb48e22e54327ca9cffa4520868f49a41c524b81ab6d935070
  • d3b03f79cf1d088d2ed41e25c961e9945533aeabb93eac2d33ebc4b589ba6172
  • 908af49857b6f5d1e0384a5e6fc8ee53ca1df077601843ebdd7fc8a4db8bcb12
  • 702008cae9a145741e817e6c6566cd1d79c737d51b718f13a2d16d72a00cd5a7
  • 52e04c615b08af10b4982506c1cee74cb062116d31f0300ed027f6efd3119b1a
  • 51fdaa65511e7c3a8d4d08af59d310a2ad8a18093ca8d3c817147d79a89f44a1
  • 47b12127c3d1d2af24f6d230e8e86a7b0c661b4e70ba3b77a9beca4998a491ea
  • 4751234ac4e1b0a5d4685b870de1ea1a7754258977f5d1d9534631c09c748732
  • 432b1b688e21e43d2ccc68e040b3ecac4734b7d1d4356049f9e1297814627cb3
  • 3d58733b646431a60d39394be99ff083d6db3583796b503e8422baebed8d097e
  • 0f5be6f53fe198ca32d82a75339fe832b70d676563ce8b7ca446d1902b926856

Intrusion sets (APT) (1)

  • MRxC0DER
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 05:45 · Modified 21/12/2025 05:45

Techniques (MITRE) (9)

Malware (1)

  • Caffeine
    Family
    Published 02/07/2024 15:45 · Modified 02/07/2024 15:45

Others (1)

  • Finance

External references