Researchers have discovered a new and advanced variant of the Chaes malware targeting customers of financial and logistics companies in Latin America.
The latest malware variant dubbed as Chae$4 and the initial version Chaes emerged in November 2020, primarily targeting e-commerce customers in Latin America, particularly Brazil.
Chae$4 malware features a more sophisticated code structure, advanced encryption techniques, and stealth mechanisms, making it even harder to detect and predominantly uses Python, employing decryption and dynamic in-memory execution and evades traditional defense systems.
Chae$4 targets a broader range of services, including prominent platforms and banks such as Mercado Libre, Mercado Pago, WhatsApp Web, Itau Bank, Caixa Bank, and even MetaMask.
The new variant employs WebSockets for primary communication between its modules and (C2) server. It uses a Domain Generation Algorithm (DGA) for the dynamic resolution of the C2 server’s address.
The Chae$4 malware comprises several modules, each serving a specific purpose. These modules include:
- Init Module: This module initiates communication with the attacker, gathering extensive data about the infected system.
- Online Module: It functions as a beacon, informing the attacker of the infected system’s activity status.
- Chronod Module: Responsible for stealing credentials, this module targets browser activities, including login data and financial information including BTC, ETH and PIX transfers.
- Appita Module: Similar to the Chronod module, this one specifically focuses on targeting Itau Bank’s application.
- Chrautos Module: An advanced version of Chronod and Appita modules, it offers better code architecture and enhanced capabilities.
- Stealer Module: This module specializes in stealing data from Chromium-based browsers, including login data, credit card details, cookies, and autofill information.
- File Upload Module: This recent addition allows the malware to search for and upload specific files, such as those related to the MetaMask’s Chrome extension.
The attack cycle starts with the execution of a malicious MSI installer, often disguised as a legitimate application installer. The malware then deploys and downloads necessary files to establish persistence on the infected system.
ChaesCore, a core component, is responsible for setting up persistence and migrating into legitimate processes. Once initialized, ChaesCore communicates with the C2 server and downloads additional modules as required. Communication is encrypted to hide its activities.
The MSI installer contains obfuscated JavaScript and PowerShell scripts that establish the malware’s working directory and downloads essential files. The Module Wrapper decrypts and dynamically loads modules, executing their malicious code.
Different modules focus on stealing various types of data, such as login credentials, personal information, and financial data.
The malware is still under development, so new features or capabilities may be added in the future. Though it targets specific regions, the possibility of affecting wide regions is high, and it’s constantly evolves
This research was documented by researchers from Morphisec.
Indicators of Compromise
