|Category: Adversary Intelligence||Industry: Underground||Motivation: Financial||Region: Global||Source*: C - Fairly Reliable 4 - Doubtfully True|
- CloudSEK’s contextual AI digital risk platform XVigil discovered a new phishing-as-a-service platform named “Caffeine.”
- The platform could be leveraged to launch phishing campaigns by opting for phishing services providing custom phishing kits.
- The platform mostly contains phishing templates customized to attack Russian and Chinese entities.
Caffeine Platform Analysis
- The platform is open to all and does not require any referral code to register.
- Upon registering on the platform, the threat actor can buy a subscription license which ranges depending on the operator and features:
- USD 250 for a month
- USD 450 for 3 months
- USD 850 for 6 months
- The platform also offers anti-detection and anti-analysis systems and customer support services along with the subscription, making it expensive as compared to other Phishing-as-a-service platforms.
- The platform also offered the following features apart from phishing services:
- Mechanisms for customizing dynamic URL schemes to help dynamically generate sites with victim-specific data already filled in
- Ultimate luring pages and first-stage redirect pages for campaigns.
- Geo-blocking, CIDR range-based blocking, and other IP blocklisting options
- At the time of writing this, the platform seems to be temporarily down due to maintenance issues.
- CloudSEK researchers investigated the services available on the "Caffeine" platform and discovered that the threat actor was misusing an online service called - ongraphy[.]com which is a no-code SaaS platform to host websites or apps to launch teaching business websites.
- Similar SaaS services are quickly abused and adopted by other threat actors to host malicious pages.
- An old phishing page was hosted and disseminated via email ("eduardorodiguez9584.com")
- The platform “Caffeine” emerged in October 2021 when the threat actor named “MRxCODER” advertised about the store and office365 sender.
- The threat actor also operates on telegram where regular updates and new tools from the platform are advertised.
- The video demonstration for the python spamming tools from the Caffeine platform was advertised on crax tube.
- The platform's Telegram channel promoted numerous bots and an Office 2FA cookies stealer. On the channel, the following were advertised:
- Caffeine Sender
- Caffeine Redirect
- OfficeTools FUD Telegram Bot
- Chase Bank KIT
- FUD Links Service
- Boa Kit
- Dubai Islamic Bank Kit
- Office 365 Cookies stealer
- The threat actor or Caffeine Store administrator surveyed on Telegram to inquire about the next phishing kit.
- Phishing kits for Chase Bank, Bank of America, and Dubai Islamic Bank are advertised on the service's Telegram channel, along with a service to make FUD phishing URLs that can be used to launch extensive phishing campaigns and attacks.
- Office 2FA cookie stealer can be used to steal 2FA cookies, victim's PII, and gather logs.
- Provides an email template for spamming customers and luring victims.
- The Ongraphy domain served as a redirect to a phishing page housed at a third-party domain that mimics the appearance of the official website for an Italian ophthalmologist's medical practice.
|Threat Actor Profiling|
|Telegram||t.me/caffeinestore_news @mrxc0der @mrxc0derii|
|History||Threat actor advertised about the Caffeine store and free carrier lookup bot|
|Rating||C4 (C: Fairly Reliable; 4: Doubtfully True)|
- *Intelligence source and information reliability - Wikipedia
- #Traffic Light Protocol - Wikipedia
- Mandiant Caffeine Report