In the ever-evolving landscape of cybersecurity threats, a new and sophisticated player has emerged – the Chaes malware variant. This malware, which first surfaced in 2020, has undergone significant transformations, posing a substantial risk to the banking and logistics sectors, with a particular focus on e-commerce customers in Latin America, notably Brazil.

In this comprehensive exploration, we delve into the technical details of Chaes, its modus operandi, and its potential implications for financial and logistics industries. It’s imperative to understand the inner workings of this threat to bolster our defenses against it.

The Chaes Delivery Mechanism

While Chaes has undergone architectural changes, its delivery mechanism remains consistent. The malware infiltrates systems through compromised websites, using them as vectors to deploy malicious files. Once inside a victim’s system, Chaes establishes communication with a command-and-control (C2) server, effectively opening the door for data theft and post-compromise activities.

Financial Motivations: Targeting Cryptocurrency Transfers

Chaes has evolved to have financial motivations at its core. It now specifically targets cryptocurrency transfers and instant payments conducted through Brazil’s PIX platform. This shift underscores the malware’s adaptability and the evolving threat landscape in the financial sector.

The Technical Underpinnings of Chaes

Chaes stands out as a resilient and adaptive malware strain, capable of evading traditional detection methods. Its most notable technical transformation is a complete rewrite in Python, a versatile programming language prized for its flexibility and ease of deployment. This rewrite has rendered Chaes less conspicuous to conventional defense systems, allowing it to infiltrate target systems with reduced risk of detection.

A Multi-Module Architecture

Chaes employs a multi-module architecture, with each module serving specific malicious purposes. The primary orchestrator module, known as ChaesCore, acts as the communication gateway with the C2 server. It fetches additional modules that support post-compromise activities and data theft. These modules include “Init” for gathering system information, “Online” for transmitting status updates to the attacker, and “Chronod,” designed to steal login credentials and intercept cryptocurrency transfers.

The “Stealer” Module

Among these modules, the “Stealer” module is particularly concerning. It is an enhanced version of “Chrolog” and is tailored to pilfer sensitive information, including credit card data, cookies, autofill data, and other browser-stored details. Moreover, the “File Uploader” module facilitates the upload of data associated with MetaMask’s Chrome extension, potentially compromising users’ cryptocurrency wallets.

Persistence Through Scheduled Tasks

To ensure its longevity on infected hosts, Chaes employs scheduled tasks, guaranteeing that the malware remains active even after system reboots. This persistence is a key feature that makes Chaes a formidable and tenacious threat.

Exploiting Google’s DevTools Protocol

One distinctive and alarming aspect of Chaes is its use of Google’s DevTools Protocol to interact with web browsers. This protocol enables direct communication with the inner workings of browsers over WebSockets. This capability empowers attackers to execute scripts, intercept network requests, access unencrypted POST data, and perform various actions within compromised browser instances. Such capabilities significantly expand the scope of malicious activities, making Chaes a potent and versatile threat to users and organizations alike.

Conclusion

The Chaes malware variant represents a significant cybersecurity threat, especially to the banking and logistics sectors in Latin America. Its adaptability, technical sophistication, and financial motivations make it a formidable adversary. To combat this evolving threat effectively, organizations and individuals must stay informed about Chaes’s intricacies and take proactive measures to protect their systems and sensitive data.

Also Read: