{ "name": "ONNX Store: Phishing-as-a-Service Platform Targeting Financial Institution", "slug": "onnx-store-phishing-as-a-service-platform-targeting-financial-institution", "description": "This intelligence report analyzes the ONNX Store, a phishing-as-a-service platform targeting financial institutions through embedded QR codes in PDF attachments redirecting victims to phishing sites. The report details the platform's features, including two-factor authentication bypass, realistic Microsoft 365 phishing pages, and use of Cloudflare to evade detection. It assesses with high confidence that ONNX Store is a rebranding of the Caffeine phishing kit, likely developed and maintained by the Arabic-speaking threat actor MRxC0DER. The report also covers prevention strategies, detection opportunities, and provides indicators of compromise.", "published": "2024-07-02T13:45:09+00:00", "created_at": "2024-07-02T13:45:09+00:00", "modified_at": "2024-07-02T13:51:36+00:00", "created_at_opencti": "2024-07-02T13:45:09+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-07-02", "caffeine", "credential-theft", "cybercrime", "fintech", "onnx store", "phishing", "qrcode" ], "related_entities": { "observables": [ { "id": "", "name": "5.181.156.247" }, { "id": "", "name": "https://crax.tube/@caffeinestore" }, { "id": "", "name": "zaq.gletber.com" }, { "id": "", "name": "v744.r9gh2.com" }, { "id": "", "name": "docusign.multiparteurope.com" }, { "id": "", "name": "bsifinancial019.ssllst.cloud" }, { "id": "", "name": "agchoice.us-hindus.com" }, { "id": "", "name": "473.kernam.com" }, { "id": "", "name": "56789iugtfrd5t69i9ei9die9di9eidy7u889.rhiltons.com" }, { "id": "", "name": "verify-office-outlook.com" }, { "id": "", "name": "stream-verify-login.com" }, { "id": "", "name": "httbin.org" }, { "id": "", "name": "crax.tube" }, { "id": "", "name": "authmicronlineonfication.com" }, { "id": "", "name": "f99b01620ef174bb48e22e54327ca9cffa4520868f49a41c524b81ab6d935070" }, { "id": "", "name": "d3b03f79cf1d088d2ed41e25c961e9945533aeabb93eac2d33ebc4b589ba6172" }, { "id": "", "name": "908af49857b6f5d1e0384a5e6fc8ee53ca1df077601843ebdd7fc8a4db8bcb12" }, { "id": "", "name": "702008cae9a145741e817e6c6566cd1d79c737d51b718f13a2d16d72a00cd5a7" }, { "id": "", "name": "52e04c615b08af10b4982506c1cee74cb062116d31f0300ed027f6efd3119b1a" }, { "id": "", "name": "51fdaa65511e7c3a8d4d08af59d310a2ad8a18093ca8d3c817147d79a89f44a1" }, { "id": "", "name": "47b12127c3d1d2af24f6d230e8e86a7b0c661b4e70ba3b77a9beca4998a491ea" }, { "id": "", "name": "4751234ac4e1b0a5d4685b870de1ea1a7754258977f5d1d9534631c09c748732" }, { "id": "", "name": "432b1b688e21e43d2ccc68e040b3ecac4734b7d1d4356049f9e1297814627cb3" }, { "id": "", "name": "3d58733b646431a60d39394be99ff083d6db3583796b503e8422baebed8d097e" }, { "id": "", "name": "0f5be6f53fe198ca32d82a75339fe832b70d676563ce8b7ca446d1902b926856" } ], "malware": [ { "id": "legacy:malware:4f582819d2e97ade", "name": "Caffeine", "slug": "caffeine" } ], "intrusion_sets": [ { "id": "d3a2bf4d-c584-4a73-92d5-d736b6db7102", "name": "MRxC0DER", "slug": "mrxc0der" } ], "attack_patterns": [ { "id": "4fd06918-600c-4ab5-b1bd-8db8458085a5", "name": "T1090.004" }, { "id": "6f00068c-812c-4e2b-9100-2cfa86b3aed9", "name": "T1132.001" }, { "id": "b7c6c1ad-f183-4128-8427-3891029c73dc", "name": "T1539" }, { "id": "00430919-9257-403b-8a1b-958d4c3613aa", "name": "T1557" }, { "id": "232fbdfa-94c6-443d-b575-373e75b4f4c2", "name": "T1567" }, { "id": "5bab4974-1fc2-4144-b093-28ebcb8767dc", "name": "T1114" }, { "id": "dc410646-9cdd-427b-92e7-179a54f78f90", "name": "T1566.001" }, { "id": "50514c04-b3a2-4abf-a855-e3a434200c87", "name": "T1204" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" } ], "others": [ { "id": "", "name": "Finance" } ] }, "external_refs": [ "https://blog.eclecticiq.com/onnx-store-targeting-financial-institution", "https://otx.alienvault.com/pulse/668420852fe2b48bf62d8696" ] }