New Python variant of Chaes malware targets banking and logistics sectors

September 5, 2023THNCyber ​​threat/malware

The banking and logistics sectors are under attack from a reworked variant of malware called Chaes.

“It has undergone major overhauls: from being rewritten entirely in Python, which resulted in lower detection rates by traditional defense systems, to a complete overhaul and improved communications protocol,” Morphisec said in a new detailed technical report. writing shared with The Hacker News.

Chaes, which first emerged in 2020, is known for targeting e-commerce customers in Latin America, particularly Brazil, to steal sensitive financial information.

A subsequent analysis by Avast in early 2022 revealed that the malicious actors behind the operation, who call themselves Lucifer, had hacked more than 800 WordPress websites to provide Chaes to users of Banco do Brasil, Loja Integrada , Mercado Bitcoin, Mercado Livre and Mercado. Pago.

Further updates were detected in December 2022, when Brazilian cybersecurity company Tempest Security Intelligence discovered the malware’s use of Windows Management Instrumentation (WMI) in its infection chain to facilitate the collection of system metadata, such as BIOS, CPU, disk size, and memory information.

The latest iteration of the malware, called Chae$4 in reference to debug log messages present in the source code, it incorporates “significant transformations and improvements”, including an expanded catalog of services targeted for credential theft as well as clipper features.

Despite changes in malware architecture, the overall delivery mechanism remained the same in attacks identified in January 2023.

Potential victims who land on one of the compromised websites are greeted with a pop-up message asking them to download an installer for Java Runtime or an antivirus solution, triggering the deployment of a malicious MSI file which in turn , launches a main orchestrator module known as ChaesCore.

The component is responsible for establishing a communication channel with the command and control server (C2) from where it fetches additional modules that support post-compromise activities and data theft –

• Initializationwhich gathers detailed information about the system
• Onlinewhich acts as a beacon to transmit a message to the attacker that the malware is running on the machine.
• Chronodewhich steals login credentials entered into web browsers and intercepts BTC, ETH and PIX payment transfers
• Appitaa module with functionality similar to that of Chronod but specifically designed to target Itaú Unibanco’s desktop application (“itauaplicativo.exe”)
• Chrautosan updated version of Chronod and Appita that focuses on collecting data from Mercado Libre, Mercado Pago and WhatsApp
• Thiefan enhanced variant of Chrolog that pilfers credit card data, cookies, autofill, and other information stored in web browsers, and
• File Downloaderwhich downloads data related to MetaMask Chrome extension

Persistence on the host is accomplished through a scheduled task, while C2 communications involve the use of WebSockets, with the implant running in an infinite loop to wait for further instructions from the remote server.

The targeting of cryptocurrency transfers and instant payments via the Brazilian PIX platform is a notable addition that highlights the financial motivations of threat actors.

“The Chronod module introduces another component used in the framework, a component called Module Packer,” explained Morphisec. “This component provides the module with its own persistence and migration mechanisms, working much like that of ChaesCore.”

This method involves modifying all shortcut (LNK) files associated with web browsers (e.g. Google Chrome, Microsoft Edge, Brave and Avast Secure Browser) to run the Chronod module instead of the browser itself.

“The malware uses Google’s DevTools protocol to connect to the current instance of the browser,” the company said. “This protocol allows direct communication with internal browser functionality via WebSockets.”

“The wide range of functionality exposed by this protocol allows the attacker to execute scripts, intercept network requests, read POST bodies before being encrypted, and much more.”