New Python Variant of Chaes Malware Targets Banking and Logistics Sectors

The banking and logistics industries are facing a renewed threat from a revamped version of the malware known as Chaes. This evolved variant has undergone significant changes, including a complete rewrite in Python to evade traditional defense systems and a comprehensive redesign with an improved communication protocol.

Chaes, which initially surfaced in 2020, is notorious for its focus on e-commerce customers in Latin America, particularly in Brazil, with the aim of pilfering sensitive financial information.

A subsequent investigation conducted by Avast in early 2022 revealed that the threat actors, self-identified as “Lucifer,” had compromised over 800 WordPress websites to distribute Chaes to users of platforms like Banco do Brasil, Loja Integrada, Mercado Bitcoin, Mercado Livre, and Mercado Pago.

Further developments were observed in December 2022 when Brazilian cybersecurity firm Tempest Security Intelligence discovered that the malware had incorporated the use of Windows Management Instrumentation (WMI) into its infection chain. This addition facilitated the collection of critical system metadata, including BIOS information, processor details, disk size, and memory information.

The latest incarnation of this malware, dubbed Chae$ 4 due to debug log messages found in the source code, introduces “significant transformations and enhancements.” These include an expanded range of targeted services for credential theft and the addition of clipper functionality.

Despite the architectural modifications, the overall delivery mechanism remained consistent in attacks identified in January 2023.

Potential victims landing on compromised websites encounter a pop-up message prompting them to download an installer for Java Runtime or an antivirus solution. This triggers the deployment of a malicious MSI file, which, in turn, initiates the primary orchestrator module known as ChaesCore.

ChaesCore’s primary function is to establish a communication channel with the command-and-control (C2) server. It fetches additional modules from this server to support post-compromise activities and data theft.

To maintain persistence on the host, the malware employs a scheduled task, while C2 communications are conducted via WebSockets. The implant operates in an infinite loop, awaiting further instructions from the remote server.

Morphisec explained, “The Chronod module introduces another component used in the framework, a component called Module Packer. This component provides the module its own persistence and migration mechanisms, working much like ChaesCore’s.”

This method involves altering all shortcut files (LNK) associated with web browsers such as Google Chrome, Microsoft Edge, Brave, and Avast Secure Browser. Instead of launching the actual browser, these shortcuts execute the Chronod module.

The malware leverages Google’s DevTools Protocol to connect to the active browser instance. This protocol enables direct communication with the browser’s inner functionality over WebSockets.

Morphisec added, “The wide range of capabilities exposed by this protocol allows the attacker to run scripts, intercept network requests, read POST bodies before encryption, and much more.”