Morphisec Threat Labs analyzes Chaes 4.1, an update to the Chaes malware Infostealer family, highlighting Chronod module improvements and a direct message to Morphisec embedded in the source code. The post details the infection chain via Portuguese phishing emails and attacker-controlled websites delivering an MSI payload, while noting Morphisec AMTD protection and ongoing interaction with the threat actors. #Chaes #TotalAV
Keypoints
- Chaes 4.1 introduces enhancements to the Chronod module and even includes a direct message to Morphisec researchers in the source code.
- The infection chain starts with a Portuguese-language phishing email posing as an urgent legal matter, pressuring a prompt response and including a link and password to access the document.
- attacker-controlled websites redirect victims and deliver the MSI installer, with deception around a ZIP download and a TotalAV impersonation site.
- The campaign uses multiple sites (e.g., totalavprotection.shop and webcamcheck.online) to deliver payloads and simulate system scans via JavaScript.
- A script named download.js decodes a zipped base64 blob to smuggle the malicious MSI, which activates Chaes 4.1.
- Exfiltrated data is sent to the threat actor’s C2, featuring a threat actor panel and ongoing interaction with Morphisec researchers.
- Morphisec promotes Automated Moving Target Defense (AMTD), protecting thousands of organizations across millions of endpoints.
MITRE Techniques
- [T1566.001] Phishing – The infection chain starts with an email written in Portuguese… The email includes a link and a password to access the document from that link. – “The infection chain starts with an email written in Portuguese, which purports to be an urgent communication request from a lawyer regarding a legal case. The email pressured the victim with an urgent call for “prompt response”, or risk highly adverse legal repercussions. The email includes a link and a password to access the document from that link.”
- [T1189] Drive-by Compromise – Delivery via attacker Controlled Websites, redirecting to deceptive pages that deliver the MSI installer. – “Delivery via attacker Controlled Websites… Upon clicking the provided link, the victim will be redirected to https://totalavprotection[.]shop/abrirProcesso.php?email=… This website … directly delivering the MSI installer without the intermediary step of a ZIP file.”
- [T1105] Ingress Tool Transfer – The deceptive site directly delivers the MSI installer (payload). – “For TotalAV, directly delivering the MSI installer without the intermediary step of a ZIP file.”
- [T1059.007] JavaScript – A website executes JavaScript in the background to mimic a legitimate system scan. – “a JavaScript is executed in the background. The script is designed to mimic the appearance of a legitimate system scan.”
- [T1027] Obfuscated/Compressed Files and Information – The installer is smuggled by decoding a zipped base64 blob. – “decoding a zipped base64 blob. Following the activation of the installer, Chae$ 4.1 is activated.”
- [T1041] Exfiltration Over C2 Channel – Exfiltrated data is delivered to the threat actor’s C2. – “Following successful activation, exfiltrated data is delivered to the threat actor’s C2.”
Indicators of Compromise
- [Domain] totalavprotection.shop – used as a deceptive site delivering the MSI installer. – totalavprotection.shop
- [Domain] webcamcheck.online – used to present a fake risk scan and deliver payloads. – webcamcheck.online
- [URL] https://totalavprotection.shop/abrirProcesso.php?email= – redirect link used in the phishing flow. – https://totalavprotection[.]shop/abrirProcesso.php?email=
- [URL] https://www.webcamcheck.online/ – site delivering the malicious payload after user interaction. – https://www.webcamcheck[.]online/
- [File] document.zip – ZIP file referenced as part of the download chain. – ZIP file
- [File] MSI installer – the installer delivered by deceptive sites. – MSI installer
- [File] download.js – script that smuggles the malicious installer. – download.js
Read more: https://blog.morphisec.com/chaes-chronicles