Phishing campaign targets LATAM e-commerce users with Chaes Malware

Experts from Cybereason Nocturnus uncovered an active campaign that targets users of a large e-commerce platform in Latin America with Chaes malware.

Cybereason Nocturnus security researchers have identified an active campaign focused on the users of a large e-commerce platform in Latin America.

Experts at Cybereason Nocturnus have uncovered an active campaign targeting the users of a large e-commerce platform in Latin America with malware tracked as Chaes.

The Chaes malware was first spotted in the middle to late 2020 by Cybereason researchers, it is a multistage information stealer that focuses
on Brazilian customers of MercadoLivre, the largest e-commerce company in Latin America.  In 2019, over 320 million users were registered with the MercadoLivre e-commerce platform. 

Chaes is written in several programming languages including Javascript,
Vbscript, .NET , Delphi and Node.js. Experts believe that the malicious code is under development.

“Chaes specifically targets the Brazilian website of e-commerce company MercadoLivre and its payment page MercadoPago to steal its customers’ financial information. The final payload of Chaes is a Node.Js information stealer that exfiltrates data using the node process.” reads the analysis published by Cybereason.

Chaes is also able to take screenshots of the victim’s machine, and
hook and monitor the Chrome web browser to collect user information from infected hosts.

The kill chain starts with phishing messages that use a .docx file that once is opened triggers a template injection attack.

Upon connecting to the command-and-control server, the malware downloads the first malicious payload in the form of a .msi file, which deploys a .vbs file used to execute other processes, as well as uninstall.dll and engine.bin. The malware also installs three other files, hhc.exe, hha.dll and chaes1.bin, researchers also observed the use of a cryptocurrency mining module. 

The attackers use Microsoft Word’s built-in feature to fetch a payload from a remote server, by changing the template target of the settings.xml file which is embedded in the document and populating this field with a download URL of the next payload.

Chaes attack chain is composed of several stages that include the use
of LoLbins and other legitimate software to avoid detection by AV products.

Experts observed several variants over the recent months, it authors have improved encryption and implemented new functionality of the final Node.js module.

“Multistage malware that uses such techniques in the LATAM region and specifically in Brazil have already been observed and investigated by Cybereason in the past years. Chaes demonstrates how sophisticated and creative malware authors in the Latin America region can be when attempting to reach their goals.” concludes the report. “The malware not only serves as a warning sign to information security researchers and IT professionals not to take lightly the existence of files that are legitimate in nature, but also raises the concern of a possible future trend in using the Puppeteer library for further attacks in other major financial institutions”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]