Experts at Cybereason Nocturnus have uncovered an active campaign targeting the users of a large e-commerce platform in Latin America with malware tracked as Chaes.
The Chaes malware was first spotted in the middle to late 2020 by Cybereason researchers, it is a multistage information stealer that focuses
on Brazilian customers of MercadoLivre, the largest e-commerce company in Latin America. In 2019, over 320 million users were registered with the MercadoLivre e-commerce platform.
Vbscript, .NET , Delphi and Node.js. Experts believe that the malicious code is under development.
“Chaes specifically targets the Brazilian website of e-commerce company MercadoLivre and its payment page MercadoPago to steal its customers’ financial information. The final payload of Chaes is a Node.Js information stealer that exfiltrates data using the node process.” reads the analysis published by Cybereason.
Chaes is also able to take screenshots of the victim’s machine, and
hook and monitor the Chrome web browser to collect user information from infected hosts.
The kill chain starts with phishing messages that use a .docx file that once is opened triggers a template injection attack.
Upon connecting to the command-and-control server, the malware downloads the first malicious payload in the form of a .msi file, which deploys a .vbs file used to execute other processes, as well as uninstall.dll and engine.bin. The malware also installs three other files, hhc.exe, hha.dll and chaes1.bin, researchers also observed the use of a cryptocurrency mining module.
The attackers use Microsoft Word’s built-in feature to fetch a payload from a remote server, by changing the template target of the settings.xml file which is embedded in the document and populating this field with a download URL of the next payload.
Chaes attack chain is composed of several stages that include the use
of LoLbins and other legitimate software to avoid detection by AV products.
Experts observed several variants over the recent months, it authors have improved encryption and implemented new functionality of the final Node.js module.
“Multistage malware that uses such techniques in the LATAM region and specifically in Brazil have already been observed and investigated by Cybereason in the past years. Chaes demonstrates how sophisticated and creative malware authors in the Latin America region can be when attempting to reach their goals.” concludes the report. “The malware not only serves as a warning sign to information security researchers and IT professionals not to take lightly the existence of files that are legitimate in nature, but also raises the concern of a possible future trend in using the Puppeteer library for further attacks in other major financial institutions”
(SecurityAffairs – hacking, malware)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.