New Python Variant of Chaes Malware Targets Banking and Logistics Industries

Cyber Security Threat Summary:
Banking and logistics industries are under the onslaught of a reworked variant of a malware called Chaes. ‘It has undergone major overhauls: from being rewritten entirely in Python, which resulted in lower detection rates by traditional defense systems, to a comprehensive redesign and an enhanced communication protocol,’ Morphisec said in a new detailed technical write-up shared with The Hacker News. Chaes, which first emerged in 2020, is known to target e-commerce customers in Latin America, particularly Brazil, to steal sensitive financial information. A subsequent analysis from Avast in early 2022 found that the threat actors behind the operation, who call themselves Lucifer, had breached more than 800 WordPress websites to deliver Chaes to users of Banco do Brasil, Loja Integrada, Mercado Bitcoin, Mercado Livre, and Mercado Pago. The latest iteration of the malware, dubbed Chae$ 4 in reference to debug log messages present in the source code, packs in ‘significant transformations and enhancements,’ including an expanded catalog of services targeted for credential theft as well as clipper functionalities. Despite the changes in the malware architecture, the overall delivery mechanism has remained the same in attacks that were identified in January 2023” (The Hacker News, 2023).

Security Officer Comments:
As mentioned above, the infection chain starts off with the threat actors compromising vulnerable WordPress sites to host malicious executables. In one of the attacks observed by researchers, website visitors were presented with a pop-up message requesting them to download an installer for Java Runtime or an antivirus solution. Initiating the download would lead to the deployment of a malicious MSI file that is designed to launch the primary orchestrator module for Chaes, known as Chaescore. After examining this module, researchers noted that it is capable of establishing C2 communications and fetching additional modules designed to help the threat actors steal data from the targeted system. Below is a description of the various modules employed by Chaes:

  • Init, which gathers extensive information about the system
  • Online, which acts as a beacon to transmit a message back to the attacker that the malware is running on the machine
  • Chronod, which steals login credentials entered in web browsers and intercept BTC, ETH, and PIX payment transfers
  • Appita, a module with similar features as that of Chronod but specifically designed to target Itaú Unibanco's desktop app ("itauaplicativo.exe")
  • Chrautos, an updated version of Chronod and Appita that focuses on gathering data from Mercado Libre, Mercado Pago, and WhatsApp
  • Stealer, an improved variant of Chrolog which plunders credit card data, cookies, autofill, and other information stored in web browsers, and
  • File Uploader, which uploads data related to MetaMask's Chrome extension
Suggested Correction(s):
Administrators of content management sites like WordPress should periodically ensure that their plugins and site themes are up to date, whenever new patches are released, as threat actors can exploit them for initial compromise. Making sure a strong password policy is in place and that two-factor authentication is enabled, can be crucial in preventing attackers from compromising site accounts. Users browsing the web should also be careful when downloading software online, as threat actors are known for compromising such sites to infect victims with malicious executables. When in doubt, it is always a good idea to scan software with anti-virus solutions prior to initiating an installation.