Chaes is a Brazil-only banking trojan that uses a multi-stage delivery chain to steal Chrome credentials and intercept logins to Brazilian banking sites. Avast found Chaes artifacts on over 800 compromised WordPress sites in Brazil (700+ with Brazilian TLDs), suggesting WordPress vulnerabilities as the infection vector. #Chaes #MercadoPago
Keypoints
- Chaes operates solely in Brazil and targets Brazilian banking websites, with infection attempts detected on tens of thousands of usersβ devices in Q4 2021.
- Infection begins via compromised WordPress sites that deliver a Java Runtime installer lure, leading to a multi-stage payload chain.
- The delivery chain uses scripting frameworks (JScript, Python, NodeJS), Delphi binaries, and malicious Chrome extensions to reach the final payload.β
- The malware implements persistence via Scheduled Tasks and Startup links to maintain execution after reboot.
- Chaes loads a Delphi-based module (chaes_vy.dll) into memory, which then loads embedded .NET and JavaScript components to form the loader chain.
- Final payloads include Chrome extensions designed to exfiltrate Chrome credentials and monitor/steal data from Brazilian banking sites such as MercadoPago, Mercado Livre, and others.
MITRE Techniques
- [T1059.006] Python β The malware uses Python as part of a multi-stage delivery chain: βThe malware is distributed through many compromised websites, including highly credible sites. Chaes is characterized by the multiple-stage delivery that utilizes scripting frameworks such as JScript, Python, and NodeJS.β
- [T1059.007] JavaScript β The campaign relies on JavaScript-based components and Chrome extensions: βmalicious Google Chrome extensions.β
- [T1112] Modify Registry β The loader writes the registry path for configuration: βWrites the path of the newly created extensions folder to HKEY_CURRENT_USERSoftwarePythonConfigPath.β
- [T1053.005] Scheduled Task β The loader creates persistence via a scheduled task: βSched.js accomplishes this by creating a Scheduled Task as its primary means.β
- [T1547.001] Boot or Logon Autostart Execution β as a backup, a Startup link is created: βand creating a Startup link as its backup means.β
- [T1055] Process Injection β The Chaes loader loads into memory: βchaes_vy.dll is loaded into memory by an embedded shellcode.β
- [T1071.001] Web Protocols β The C2 channel uses HTTP/Web protocols to transfer data: βIndex.js utilizes two methods of communicating with the attacker: through WebSocket and through HTTP.β
- [T1056.001] Keyboard Input Capture β The malware supports keystroke collection as part of its payload: βSend command such as keystroke, mouseclick.β
- [T1105] Ingress Tool Transfer β The loader downloads additional payloads from C2: βdownload 32bit and 64bit __init__.py scripts along with 2 encrypted payloads.β
- [T1027] Obfuscated/Encrypted Files and Information β The binaries are encrypted and unpacked by the loader: βAll the binaries with dll_filename argument β¦ are encrypted, including the ones inside the RAR archive.β
Indicators of Compromise
- [URL] HTML Script β is[.]gd/EnjN1x?V=31, is[.]gd/oYk9ielu?D=30, is[.]gd/Lg5g13?V=29, is[.]gd/WRxGba?V=27, is[.]gd/3d5eWS?V=26
- [URL] MSI Download URLs β dragaobrasileiro[.]com.br/wp-content/themes/getcorsfile.php?, chopeecia[.]com.br/D4d0EMeUm7/index.php?install
- [URL] MSI Download URLs β bodnershapiro[.]com/blog/wp-content/themes/twentyten/p.php?, dmt-sys[.]net/index.php?
- [IP] Addresses β 200[.]234[.]195[.]91, 108[.]166[.]219[.]43
- [Domain] CnC/Backend β f84f305c[.]com, awsvirtual[.]blogspot.com
- [Domain] Additional CnC β awsvirtual[.]blogspot.com, cliq-no[.]link
- [SHA256] MSI installer β f20d0ffd1164026e1be61d19459e7b17ff420676d4c8083dd41ba5d04b97a08c, 069b11b9b1b20828cfb575065a3d7e0b6d00cd1af10c85c5d6c36caea5e000b7
- [SHA256] __init__.py β 70135c02a4d772015c2fce185772356502e4deab5689e45b95711fe1b8b534ce
Read more: https://decoded.avast.io/anhho/chasing-chaes-kill-chain/