OnyxC2 MaaS: A New Threat with Enterprise-Grade Data Theft Capabilities
A new malware-as-a-service (MaaS) platform called OnyxC2 is making waves in the cybercrime underground, offering enterprise-grade data theft with a suite of advanced evasion techniques and remote access capabilities. The service, which appeared on cybercrime forums earlier this year, is sold as a subscription model, with prices ranging from $250 to $6,000 depending on the features and support level.
A Stealthy and Sophisticated Threat
OnyxC2 targets over 210 applications, including 37 Chromium-based and 8 Gecko-based browsers, 95 Chromium and 14 Gecko extensions, 17 cryptocurrency wallets, and various business-critical tools like FTP clients and email clients. The malware employs DLL sideloading, encrypted payloads, and evasion tactics to avoid detection. Its developers even offer refunds if a build gets detected, underscoring their confidence in its stealth capabilities. BlackFog researchers analyzed two samples and found that one infected host had already yielded 55 saved passwords, 4,717 cookies, 719 autofill entries, two payment cards, and a cryptocurrency wallet.
A Toolkit Beyond Credential Harvesting
The remote access toolkit bundled with OnyxC2 goes beyond simple data theft. It includes features like Hidden Virtual Network Computing (HVNC) over a web browser, LSASS memory dumping, RunPE execution (both in memory and on disk), a reverse SOCKS5 proxy, screenshot capture, a keylogger, a file manager, a reverse shell over HTTP, a built-in Tor tunnel, and AES-256-encrypted build downloads. Some of these features are not mentioned in the developers' public sales material, suggesting active development behind the scenes.
The delivery mechanism is particularly noteworthy. OnyxC2 uses a legitimate application with a valid Authenticode signature, which evades detection on 71 antivirus engines on VirusTotal. Paired with it is a malicious DLL disguised as an NVIDIA graphics library, with the payload appended to legitimate content to appear valid. When the victim runs the installer, the malicious DLL loads via sideloading, and the payload remains encrypted until runtime, making it difficult to detect before execution. The package also includes ready-made lure installers, such as FinePrint, SystemSettings, a fake Windows update package, and Fling-Standalone for gaming audiences, designed to trick users into running the malware.
Source: Security Affairs. AI-assisted editorial synthesis — TechnoExpress.