New Python-Based Chaes Malware Variant Targets Banking and Logistics Sectors

Introduction:

A recently discovered variant of the Chaes malware has emerged, posing a significant threat to the banking and logistics industries. This new version, rewritten entirely in Python, has successfully evaded detection by traditional defense systems due to its altered code structure and improved communication protocol. Initial reports indicate that the malware primarily targets e-commerce customers in Latin America, specifically Brazil, with the objective of stealing sensitive financial information.

Evolution of Chaes Malware:

Chaes first surfaced in 2020 and initially focused on compromising the security of e-commerce platforms in Brazil, such as Banco do Brasil, Loja Integrada, Mercado Bitcoin, Mercado Livre, and Mercado Pago. In early 2022, cybersecurity researchers from Avast discovered that the threat actors behind Chaes, self-identified as Lucifer, had breached over 800 WordPress websites to distribute the malware. Subsequent analysis by Tempest Security Intelligence in December 2022 revealed that Chaes had incorporated the use of Windows Management Instrumentation (WMI) in its infection chain to gather system metadata.

Features of the Latest Chaes Variant:

The most recent iteration of the malware, referred to as Chae$ 4, exhibits significant enhancements compared to its predecessors. It introduces an expanded range of targeted services for credential theft and incorporates clipper functionalities. Despite architectural changes, the malware's delivery mechanism has remained unchanged in attacks observed in January 2023.

Infection Process and Modules:

When unsuspecting users visit compromised websites, they are presented with a pop-up message urging them to download either a Java Runtime installer or an antivirus solution. This prompts the installation of a malicious MSI file, which initiates the primary module of Chaes, known as ChaesCore. ChaesCore establishes communication with a command-and-control (C2) server and retrieves additional modules for post-compromise activities and data theft. These modules include:

1. Init: Collects comprehensive information about the infected system.

2. Online: Acts as a beacon to notify the attacker that the malware is operational on the compromised machine.

3. Chronod: Steals login credentials entered in web browsers and intercepts cryptocurrency transactions, specifically targeting BTC, ETH, and PIX payments.

4. Appita: Similar to Chronod, but specifically designed to target Itaú Unibanco's desktop app ("itauaplicativo.exe").

5. Chrautos: An updated version of Chronod and Appita, focused on gathering data from Mercado Libre, Mercado Pago, and WhatsApp.

6. Stealer: Enhances the capabilities of Chrolog to extract credit card data, cookies, autofill information, and other browser-stored details.

7. File Uploader: Uploads data related to MetaMask's Chrome extension.

Persistence and Communication:

Chaes achieves persistence on the infected host through a scheduled task. Communication with the C2 server is facilitated using WebSockets, with the implant running in an infinite loop to await further instructions from the remote server.

Financial Motivations and Attack Techniques:

The targeting of cryptocurrency transfers and instant payments via Brazil's PIX platform highlights the financial motivations of the threat actors behind Chaes. The Chronod module introduces the Module Packer component, which ensures its persistence and migration mechanisms are similar to those of ChaesCore. To execute the Chronod module, the malware modifies shortcut files (LNK) associated with popular web browsers, such as Google Chrome, Microsoft Edge, Brave, and Avast Secure Browser. By utilizing Google's DevTools Protocol over WebSockets, the malware gains direct access to the browser's functionalities, allowing the attacker to run scripts, intercept network requests, and access unencrypted POST bodies, among other capabilities.

Conclusion:

The emergence of a Python-based variant of the Chaes malware poses a severe threat to the banking and logistics sectors. Its ability to evade traditional defense systems and its expanded range of targeted services underscore the evolving sophistication of cybercriminals. Organizations must remain vigilant and implement robust security measures to protect against this persistent and evolving threat.

#ChaesMalware #Cybersecurity #BankingIndustry #LogisticsSector #PythonMalware #ThreatActor #FinancialDataTheft