Banking and logistics industries are under the onslaught of a reworked variant of a malware called Chaes.
“It has undergone major overhauls: from being rewritten entirely in Python, which resulted in lower detection rates by traditional defense systems, to a comprehensive redesign and an enhanced communication protocol,” Morphisec said in a new detailed technical write-up shared with The Hacker News.
Chaes, which first emerged in 2020, is known to target e-commerce customers in Latin America, particularly Brazil, to steal sensitive financial information.
A subsequent analysis from Avast in early 2022 found that the threat actors behind the operation, who call themselves Lucifer, had breached more than 800 WordPress websites to deliver Chaes to users of Banco do Brasil, Loja Integrada, Mercado Bitcoin, Mercado Livre, and Mercado Pago.
Further updates were detected in December 2022, when Brazilian cybersecurity company Tempest Security Intelligence uncovered the malware’s use of Windows Management Instrumentation (WMI) in its infection chain to facilitate the collection of system metadata, such as BIOS, processor, disk size, and memory information.
The latest iteration of the malware, dubbed Chae$ 4 in reference to debug log messages present in the source code, packs in “significant transformations and enhancements,” including an expanded catalog of services targeted for credential theft as well as clipper functionalities.
Despite the changes in the malware architecture, the overall delivery mechanism has remained the same in attacks that were identified in January 2023.
Potential victims landing on one of the compromised websites are greeted by a pop-up message asking them to download an installer for Java Runtime or an antivirus solution, triggering the deployment of a malicious MSI file that, in turn, launches a primary orchestrator module known as ChaesCore.
The component is responsible for establishing a communication channel with the command-and-control (C2) server from where it fetches additional modules that support post-compromise activity and data theft –
- Init, which gathers extensive information about the system
- Online, which acts as a beacon to transmit a message back to the attacker that the malware is running on the machine
- Chronod, which steals login credentials entered in web browsers and intercept BTC, ETH, and PIX payment transfers
- Appita, a module with similar features as that of Chronod but specifically designed to target Itaú Unibanco’s desktop app (“itauaplicativo.exe”)
- Chrautos, an updated version of Chronod and Appita that focuses on gathering data from Mercado Libre, Mercado Pago, and WhatsApp
- Stealer, an improved variant of Chrolog which plunders credit card data, cookies, autofill, and other information stored in web browsers, and
- File Uploader, which uploads data related to MetaMask’s Chrome extension
Persistence on the host is accomplished by means of a scheduled task, while C2 communications entail the use of WebSockets, with the implant running in an infinite loop to await further instructions from the remote server.
The targeting of cryptocurrency transfers and instant payments via Brazils’ PIX platform is a noteworthy addition that underscores the threat actors’ financial motivations.
Detect, Respond, Protect: ITDR and SSPM for Complete SaaS Security
Discover how Identity Threat Detection & Response (ITDR) identifies and mitigates threats with the help of SSPM. Learn how to secure your corporate SaaS applications and protect your data, even after a breach.
“The Chronod module introduces another component used in the framework, a component called Module Packer,” Morphisec explained. “This component provides the module its own persistence and migration mechanisms, working much like the ChaesCore’s one.”
This method involves altering all shortcut files (LNK) associated with web browsers (e.g., Google Chrome, Microsoft Edge, Brave, and Avast Secure Browser) to execute the Chronod module instead of the actual browser.
“The malware uses Google’s DevTools Protocol to connect to the current browser instance,” the company said. “This protocol allows direct communication with the inner browser’s functionality over WebSockets.”
“The wide range of capabilities exposed by this protocol allows the attacker to run scripts, intercept network requests, read POST bodies before being encrypted, and much more.”