The banking and logistics sectors are currently facing an assault from an updated version of malware known as Chaes.
In early 2022, Avast conducted an analysis that unveiled how the individuals responsible for a feature named Lucifer had infiltrated over 800 WordPress websites. They used this access to distribute the Chaes malware to users of Banco do Brasil, Loja Integrada, Mercado Bitcoin, Mercado Livre, and Mercado Pago.
In December 2022, notable developments came to light when Tempest Security Intelligence, a Brazilian cybersecurity company, exposed the adoption of Windows Management Instrumentation (WMI) malware within the infection chain.
This was employed to effortlessly gather metadata system information, encompassing details like BIOS, processor specifications, disk data, and memory size.
The most recent iteration of this malware, named Chae$ 4, introduces “substantial modifications and enhancements,” including an extended roster of services aimed at pilfering credentials and executing clipper functions.
Despite changes in the malware architecture, the overall delivery mechanism remained the same in the attacks identified in January 2023.
This dependent role carries the responsibility of establishing a communication channel with the command and control server (C2). From there, it acquires additional modules that support various activities following a breach and data theft:
- Init: This module collects comprehensive information about the system.
- Online: It serves as a beacon, signaling to the attacker that the malware is operational on the compromised machine.
- Chronod: This module specializes in pilfering credentials entered into web browsers and interfering with BTC, ETH, and PIX payment transfers.
- Appita: Designed with similar features to Chronod, but with a specific focus on targeting Itaú Unibanco’s desktop app, “itauaplicativo.exe.”
- Chrautos: An upgraded version combining the functionalities of Chronod and Appita, with a primary focus on data collection from Mercado Libre, Mercado Pago, and WhatsApp.
- Stealer: An advanced iteration of Chrolog, dedicated to snatching credit card data, cookies, autocomplete information, and other data stored in web browsers.
- File Uploader: This module is tasked with uploading data related to the MetaMask Chrome extension.
To maintain persistence on the host, a scheduled task is employed, and communication with the C2 is facilitated through the utilization of WebSockets. The application operates in an endless loop, patiently awaiting additional instructions from the remote server.
Putting a spotlight on cryptocurrency transfers and instant payments via Brazil’s PIX platform underscores the hackers’ financial motivations.
This technique entails altering all the shortcuts (LNK) linked to web browsers like Google Chrome, Microsoft Edge, and potentially Brave in the future, as well as Avast Secure Browser, so that they execute the Chronod module instead of launching the actual browser.