A newly surfaced cyber threat, known as OnyxC2, is gaining traction among cybercriminals due to its capability to extract login information from a vast array of digital applications. Marketed as a comprehensive solution for hackers, this malware-as-a-service is available for just $250 a month, offering tools for widespread credential theft.
How OnyxC2 Operates and Its Features
OnyxC2 distinguishes itself through its capacity to target over 210 applications, encompassing both browsers and extensions. It is sold as a commercial software package, offering a web interface, payload creator, and tiered pricing. Users also benefit from a refund policy if their build is detected by security solutions.
Subscribers receive a toolkit that captures browser credentials, password manager data, two-factor authentication codes, and cryptocurrency wallet details. The data is exfiltrated through encrypted channels, enhancing the malware’s ability to evade detection by security systems.
Technical Analysis and Evasion Techniques
Analysts at Blackfog have conducted a thorough investigation, publishing their findings to highlight OnyxC2’s capabilities and stealth mechanisms. The malware’s architecture, written in C++ with assembly code, allows it to circumvent system-level security measures. Each build undergoes mutation to evade antivirus detection, with developers claiming an impressive 99% evasion rate.
The malware’s attack potential is substantial. For instance, a single compromised machine revealed the theft of 55 saved passwords, 4,717 cookies, 719 autofill entries, credit card information, and a cryptocurrency wallet—all within a single instance. This level of access can compromise financial systems, business accounts, and cloud services.
Wider Implications and Security Measures
OnyxC2’s extensive target list includes 37 Chromium-based browsers, 8 Gecko-based browsers, and numerous extensions, notably those for two-factor authentication. Even accounts fortified with 2FA are vulnerable to this threat. Additionally, the malware targets 5 password managers, 17 cryptocurrency wallets, and various FTP and email clients, extending its reach beyond personal accounts to business-related systems.
Beyond credential theft, OnyxC2 incorporates a remote-access toolkit featuring HVNC, a keylogger, screenshot capabilities, and file management. A SOCKS5 proxy and Tor tunnel further obscure attacker activities.
Distribution Methods and Recommendations
The malware is distributed via fake installer packages disguised as legitimate downloads, such as Windows updates or popular software. These packages are often password-protected to bypass automated scans. The installation involves a two-file setup that includes a signed application and a malicious DLL for sideloading.
To mitigate risks, Blackfog advises enforcing anti-data-exfiltration protections at endpoints, focusing on blocking outbound transfers at the source rather than relying solely on file scanning.
For those seeking more updates, follow our coverage on Google News, LinkedIn, and X, and set Cyber Security News as a preferred source for real-time insights.
