Malware Activity
ONNX Phishing-as-a-Service Platform Targets Financial Firms
Researchers at EclecticIQ have discovered a new Phishing-as-a-Service (PhaaS) platform named “ONNX Store” that offers a phishing landing page designed to steal login credentials and two-factor authentication (2FA) codes for access to victims’ M365 accounts. The ONNX phishing kit is accessible via Telegram bots and offers purchasers a user-friendly interface to carry out their attacks. The original phishing email used in the attack claims to contain salary update information sent from a company’s HR department. To evade detection, the phishing kit uses QR codes in attached PDF documents to direct victims to the phishing site. The landing page of the phishing site is designed to steal victims’ M365 credentials and 2FA code through encrypted JavaScript that relays inputs via WebSockets to the attacker’s server. The stolen credentials are immediately re-used by the attacker to gain access to the victim’s M365 account. EclecticIQ analysts believe that the ONNX Store is a rebranding of the Caffeine PhaaS platform which was first discovered by researchers in 2022. To date, researchers have observed this campaign used to target financial institutions including banks and credit union service providers across the AMEA and AMER regions. The ONNX Store platform reflects an enhanced sophistication in PhaaS kits which should be concerning to all organizations. CTIX analysts recommend that organizations consider implementing the prevention methods listed in EclecticIQ’s blog post. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
Threat Actor Activity
New Hacker Group Actively Targeting Chinese-speaking Users Via Malicious VPN Installers
A new threat actor, codenamed Void Arachne, is targeting Chinese-speaking users through an intricate campaign that employs malicious software embedded within seemingly innocuous tools, including VPN installers and Chinese language packs. Uncovered in early April 2024, this activity cluster utilizes Windows Installer (MSI) files containing a command-and-control (C2) framework known as Winos 4.0. The campaign is notable for its distribution methods, which include search engine optimization (SEO) poisoning and the use of social media and messaging platforms, particularly Telegram channels themed around Chinese language content. Void Arachne promotes compromised software such as popular web browsers, VPN services, and deepfake pornography-generating applications, leveraging these tools to deliver malware. The malicious software is designed to bypass firewall protections and establish persistence on victims' devices, ultimately enabling remote control over the compromised systems. Winos 4.0, the malware delivered through this campaign, is capable of a wide range of malicious activities, including file management, distributed denial-of-service (DDoS) attacks, webcam and microphone control, keylogging, and more, facilitated by a plugin-based system that can be expanded according to the attackers' needs. The campaign specifically targets Chinese-speaking demographics, exploiting the increased public interest in VPN services due to the stringent internet regulations in China, known collectively as the Great Firewall. By offering software that promises to circumvent online censorship, Void Arachne aims to exploit this demand for its own malicious purposes. This threat activity underscores a broader trend of cybercriminals exploiting VPN technologies and other tools to target users in regions with heavy internet censorship, as well as an increase in cyberattacks aimed at Chinese citizens and organizations.
Vulnerabilities
Exploited Zero-Day Vulnerability in Kraken Crypto Exchange Leads to theft of Millions of Dollars
Kraken, a cryptocurrency exchange, disclosed the details of a security breach where a security researcher exploited a zero-day website vulnerability, resulting in the theft of $3 million in cryptocurrency. The incident involved a critical vulnerability allowing artificial balance increases in Kraken wallets. Identified and fixed within minutes by Kraken's security team, the flaw, stemming from a user interface change, enabled deposits without full completion, leading to three (3) users, including one (1) researcher, exploiting it to siphon funds from Kraken’s treasury. Despite requests for proof-of-concept (PoC) and fund returns, the researchers demanded compensation, prompting Kraken to treat the matter as a criminal case. CertiK, a blockchain security firm, claimed responsibility, asserting its actions were part of research and criticizing Kraken's security measures. Kraken, however, accused CertiK of exploiting the flaw for financial gain before reporting it. The incident is currently being coordinated with law enforcement. CTIX analysts recommend that any Kraken users ensure that their application firmware is up-to-date and execute best practices for security like using strong passwords and implementing multi-factor authentication (MFA).
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence about current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence about recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team (ctix@ankura.com) if additional context is needed.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice
