New Variant of Chaes Malware Targets Customers in Finance and Logistics Sectors

Hey there, folks of the Bay Area! Let’s dive into the world of cyber threats, which just like our fabulous city, never seems to sleep.

So, what’s the latest buzz around the digital water cooler? Well, it seems like our friendly neighborhood malware, Chaes, is back with a new and improved version, Chaes 4. For those of you new to the party, Chaes is a cyber threat that’s been around since 2020, mainly messing around with e-commerce customers in Latin America.

Now, this isn’t your regular update. Chaes 4 has gone through some major makeovers from being rewritten entirely in Python (which made it harder for traditional defense systems to detect), to a complete redesign and an enhanced communication protocol. It also has a few more tricks up its sleeve with new modules that enhance its malicious abilities.

This updated version targets prominent platforms and banks like Mercado Libre, Mercado Pago, the beloved WhatsApp Web, Itau Bank, Caixa Bank, and MetaMask. It also has a yen for CMS services like WordPress, Joomla, Drupal, and Magento, which also fall into its line of fire.

But what about its evolution and how it’s shaped up to its current version? Well, the Chaes we know today has been through quite a journey since 2020! Some significant changes we observed include an overhaul of code architecture and increased stealthiness, a widespread shift to Python for execution, and a custom method to monitor and intercept all things concerning Chromium browsers. It also targets an expanded list of services for credential theft.

Let’s not forget, this sneaky malware gives props to the power of WebSockets for primary communication between modules and the control server, and in a smart twist, it uses DGA (domain generation algorithm) to dynamically resolve the server address making it hard to snatch by the law enforcement folks.

And guess what, folks? Just like an episode of Stranger Things, things get even more interesting when you start peeling back the layers of the infection method. What sets off the malicious chain of events is an almost undetected installer, disguised as something far more innocent like a JAVA JDE installer or Anti-Virus software. Once activated, the malware deploys and downloads its required files, before launching the core module which sets persistence and migrates into targeted processes. Now, our Chaes is all set to create havoc.

Our investigators found seven different standalone modules that each offer unique capabilities to the overall malware operation – including modules that gather data on the infected system, intercept browser activity to steal banking information, a specific module targeting Itau Bank’s app, and even a module focused on stealing cryptocurrency! Quite the naughty toolbox, right?

But wait, there’s more! A complete review of our bad guy Chaes 4 awaits you with detailed analysis on each of its sophisticated components. This deep dive into the mechanics of the malware, its implications, and actions our beloved healthcare and cybersecurity folks can take to safeguard themselves, is a must-read.

Let’s remember folks, knowledge is power. And in the world of cyber threats, the more we know, the better we can protect. Let’s keep the Bay Area safe, one byte at a time! Until next time, keep your firewalls high and your passwords stronger!

by Morgan Phisher