National Cyber Warfare Foundation (NCWF) Forums


New PhaaS Platform Lets Attackers Bypass Two-Factor Authentication


0 user ratings
2024-06-19 12:05:05
milo
Red Team (CNA)

 - archive -- 

Several phishing campaign kits have been used widely by threat actors in the past. One popular PhaaS (Phishing-as-a-Platform) was Caffeine, which was first identified and reported by Mandiant researchers.  MRxC0DER, an Arabic-speaking threat actor, developed and maintained the caffeine kit. However, Caffeine has now been discovered to be rebranded as ONNX Store and is found […]


The post New PhaaS Platform Lets Attackers Bypass Two-Factor Authentication appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.



Several phishing campaign kits have been used widely by threat actors in the past. One popular PhaaS (Phishing-as-a-Platform) was Caffeine, which was first identified and reported by Mandiant researchers. 





MRxC0DER, an Arabic-speaking threat actor, developed and maintained the caffeine kit.





However, Caffeine has now been discovered to be rebranded as ONNX Store and is found to be managed independently, but the original developer is taking care of the Client support.





Threat actors are currently using this new rebranded platform to target financial institutions through phishing emails.





Additionally, the ONNX store offers a user-friendly interface that can be accessed via Telegram bots.





Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan





Further, it also has the capabilities to bypass 2FA mechanisms which will increase the success rate of business email compromise attacks.





PhaaS Platform Bypass 2FA





According to the reports shared with Cyber Security News, the phishing pages used in these campaigns resemble the original Microsoft 365 login page that will convince any unsuspecting user to enter their authentication credentials.





As a matter of fact, the rebranding specifically focused on improving operational security for threat actors and their services.





Overview of ONNX store (Source: EclecticIQ)



While Caffeine kit used a single shared web server for managing all the phishing campaigns, this new ONNX store allows threat actors to control their operations via Telegram bots and support is provided by a support channel. Some of the observed ONNX store channels and bots are






  • @ONNXIT: A Telegram user – manages support needs from clients. 




  • @ONNX2FA_bot: A Telegram bot for clients to receive 2FA codes from successful phishing operations. 




  • @ONNXNORMAL_bot: A Telegram bot for clients to receive Microsoft Office 365 login credentials. 




  • @ONNXWEBMAIL_bot: A Telegram bot for clients to control a Webmail server for sending phishing emails. 




  • @ONNXKITS_BOT: A Telegram bot for clients to make payments for ONNX Store services and track their orders. 





This is one hand of the channels and the bots, whereas the Services offered include: 






  • Microsoft Office 365 phishing template generation. 




  • Webmail service for sending phishing emails and using social engineering lures. 




  • Bulletproof hosting and RDP services for cybercriminals to manage their operations securely. 





Cloudflare To prevent Domain Shutdowns





In several instances, Law Enforcement fought against these cybercriminal operations that have resulted in domain shutdowns to prevent further activities.





However, this new setup uses Cloudflare to delay the takedown process of phishing domains, which provides features like anti-bot CAPTCHA to evade website scanner detections and IP proxying to hide the original hosting provider.





Cloudflare implementation (Source: EclecticIQ)



Further, the cost of different phishing tools is as follows:






  • Webmail Normal service ($150/Month): Offers customizable phishing pages and webmail server. 




  • Office 2FA Cookie Stealer ($400/Month): A phishing landing page that captures 2FA tokens and cookies from victims, featuring statistics, country blocking, and email grabbing. 




  • Office Normal package ($200/Month): Enables email credential harvesting capabilities without bypassing 2FA. 




  • Office Redirect Service ($200/Month): Advertised by ONNX Store as creating “Fully Undetectable (FUD) links”. This service exploits trusted domains, such as bing.com, to redirect victims into attacker controlled phishing landing pages. 





List of available options in ONNX Store (Source: EclecticIQ)



As added information, this new PhaaS platform also allows Quishing (QR-phishing) attacks in which threat actors distribute PDF documents via phishing emails that will contain a QR code. 





If these QR codes are scanned, it will redirect the victim to a phishing landing page. Further, most of the phishing emails impersonated reputable services like Adobe or Microsoft 365.





Encrypted JS Code To Evade Detection





Adding to its arsenal, this phishing kit also uses an encrypted Javascript code that will only decrypt when the page loads.





This prevents anti-phishing scanners from detecting these phishing domains. 





Once the JS code decrypts, third-party domains such as “httbin[.]org” and “ipapi[.]co” collect the victims’ network metadata, such as browser name, IP address, and location, before sending it to threat actors.





The encryption method also hides malicious scripts which follow the below approaches






  • Encoded string is decoded from base64




  • Every character of the decoded string is XORed with a character from the hardcoded key, cycling through the key for the decryption. 




  • The result is a decrypted string (JavaScript code), which is then executed by the browser. 





These hidden malicious scripts cannot be viewed during a casual inspection. However, if the key and the encrypted string are known, it can be decrypted easily.





However, the decrypted JS code was also designed to steal the 2FA token entered by the victims.





Bulletproof Hosting For Cybercriminals





The phishing domains registered have SSL certificates, which GTS CA 1P5 issued from Google Trust Services LLC.





Further, most of the registered domains were through NameSilo and EVILEMPIRE-AS.





Further, these bulletproof hosting services enabled cybercriminals an additional layer of anonymity.





Bulletproof hosting (Source: EclecticIQ)



In addition, there were services designed to support a wide range of illegal operations.





The advertisement on a Telegram group stated that the Bulletproof hosting was under development and they were adding RDP sessions.





Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free





Further, this new ONNX store is also mentioned to support multiple malicious campaigns with high-performance features using enhanced RAM, CPU, and SSD speeds and unlimited bandwidths.





Indicators Of Compromise





Phishing URLs  






  • authmicronlineonfication[.]com 




  • verify-office-outlook[.]com 




  • stream-verify-login[.]com 




  • zaq[.]gletber[.]com 




  • v744[.]r9gh2[.]com 




  • bsifinancial019[.]ssllst[.]cloud 




  • 473[.]kernam[.]com 




  • docusign[.]multiparteurope[.]com 




  • 56789iugtfrd5t69i9ei9die9di9eidy7u889[.]rhiltons[.]com 




  • agchoice[.]us-hindus[.]com 





Malicious PDF Files 






  • 432b1b688e21e43d2ccc68e040b3ecac4734b7d1d4356049f9e1297814627cb3 




  • 47b12127c3d1d2af24f6d230e8e86a7b0c661b4e70ba3b77a9beca4998a491ea 




  • 51fdaa65511e7c3a8d4d08af59d310a2ad8a18093ca8d3c817147d79a89f44a1 




  • f99b01620ef174bb48e22e54327ca9cffa4520868f49a41c524b81ab6d935070 




  • 52e04c615b08af10b4982506c1cee74cb062116d31f0300ed027f6efd3119b1a 




  • 3d58733b646431a60d39394be99ff083d6db3583796b503e8422baebed8d097e 




  • 702008cae9a145741e817e6c6566cd1d79c737d51b718f13a2d16d72a00cd5a7 




  • 908af49857b6f5d1e0384a5e6fc8ee53ca1df077601843ebdd7fc8a4db8bcb12 




  • d3b03f79cf1d088d2ed41e25c961e9945533aeabb93eac2d33ebc4b589ba6172 




  • 4751234ac4e1b0a5d4685b870de1ea1a7754258977f5d1d9534631c09c748732 


The post New PhaaS Platform Lets Attackers Bypass Two-Factor Authentication appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.



Source: gbHackers
Source Link: https://gbhackers.com/phaas-platform-bypass-2fa/


Comments
new comment
Nobody has commented yet. Will you be the first?
 
Forum
Red Team (CNA)



Copyright 2012 through 2024 - National Cyber Warfare Foundation - All rights reserved worldwide.