Hackers Use OnyxC2 Malware-as-a-Service to Steal Credentials From 210 Applications

Severity

Medium

Detail

Researchers have identified OnyxC2, a new Malware-as-a-Service (MaaS) credential-stealing platform being marketed on cybercrime forums for as little as $250 per month. The malware is designed to steal credentials, session cookies, password manager data, cryptocurrency wallet information, and two-factor authentication (2FA) tokens from a wide range of applications.

According to analysis by BlackFog, OnyxC2 targets more than 210 applications and browser extensions, providing attackers with a comprehensive toolkit for credential theft, remote access, and data exfiltration.

How?

OnyxC2 is primarily distributed through fake software installers disguised as legitimate applications and Windows update packages. Victims are tricked into executing password-protected archives that contain a legitimate signed application alongside a malicious DLL, leveraging DLL sideloading techniques to execute the malware while appearing trustworthy.

Once launched, the malware decrypts and loads its payload in memory while employing evasion techniques such as build mutation, assembly-level code, and oversized DLL files designed to bypass antivirus scanning and signature-based detection.

After execution, OnyxC2 begins harvesting credentials and sensitive information from browsers, password managers, cryptocurrency wallets, FTP clients, email clients, and browser extensions, including those used for two-factor authentication. The malware also collects session cookies, autofill data, stored payment information, and authentication tokens, allowing attackers to access accounts even after passwords have been changed.

Stolen information is encrypted and transmitted to attacker-controlled infrastructure. In addition to credential theft, OnyxC2 provides remote access capabilities including hidden browser control (HVNC), keylogging, screenshot capture, file management, SOCKS5 proxy functionality, and Tor-based traffic routing, enabling operators to maintain access and conduct further malicious activities.

Conclusion

OnyxC2 demonstrates the continued evolution of the Malware-as-a-Service ecosystem, lowering the barrier to entry for cybercriminals while providing advanced credential theft and remote access capabilities. Its broad targeting of browsers, password managers, cryptocurrency wallets, and business applications makes it a significant threat to both individuals and organizations.

Organizations should educate users on the risks of downloading software from untrusted sources, monitor for DLL sideloading activity, enforce multi-factor authentication using phishing-resistant methods where possible, and deploy endpoint controls capable of detecting abnormal credential access and data exfiltration attempts. Monitoring outbound traffic and implementing anti-data-exfiltration protections can also help prevent the theft of sensitive information even if an endpoint becomes compromised.

Source

https://cybersecuritynews.com/hackers-use-onyxc2-malware-as-a-service/