Cybereason Nocturnus experts discovered an active campaign targeting users of Latin America’s largest e-commerce platform with the Chaes malware.
Security researchers at Cybereason Nocturnushave identified an active campaign aimed at users of a large e-commerce platform in Latin America.
Cybereason Nocturnus experts discovered an active campaign targeting users of a large e-commerce platform in Latin America, where malware is controlled as chains.
The Chaes malware program was first noticed by Cybereason researchers in mid to late 2020. It is a layered information thief targeting Brazilian customers of MercadoLivre, the largest e-commerce company in Latin America. By 2019, more than 320 million users were registered on the MercadoBook e-commerce platform.
Chaes is written in several programming languages, including Javascript,
Vbscript, .NET, Delphi and Node.js. According to experts, the malicious code is in the development phase.
Chaes focuses specifically on the website of the Brazilian e-commerce company MercadoLivre and its payment site MercadoPago to steal financial information about its customers. Chaes’ latest payload is the theft of information from Node.J, which filters the data through the node process.
Chaes can also take screenshots of the victim’s computer and monitor a
hook and the Chrome web browser to gather information about users of infected hosts.
The destruction chain starts with phishing messages using the .docx file, which, once opened, launches an attack on the model injection.
When the malware connects to the command and control server, it downloads the first malicious load as a .msi file, which provides the .vbs file used for other processes and removes the .dll and engine.bin files. The malware also installs three other files, hhc.exe, hha.dll and chaes1.bin, and the researchers also observed the use of a cryptographic currency extraction module.
Attackers use the built-in Microsoft Word function to retrieve a payload from a remote server by changing the template target in the settings.xml file embedded in the document and filling in the URL field for the next payload download.
The chain of attack includes several steps, including the use of LoLbins
and other forensic software to prevent detection by AV products.
In recent months, experts have observed different variants, the authors have improved encryption and implemented new functions in the Node.js end module.
Cybereason has already observed and investigated multi-layer malware using such techniques in the LATAM region and in Brazil in particular. Chaes shows how complex and creative malware writers in the Latin American region can be when trying to achieve their goals. Malware not only serves as a warning to information security researchers and IT professionals not to take lightly the existence of files that are inherently legitimate, but also raises concerns about a possible future trend of using the Puppeteer library for new attacks on other major financial institutions.
Pierluigi Paganini
(Security issues – Hacking, malware)
Part
Related Tags:
cyber attacks on banks 2020,cyber attacks on banks in india,australian banks ddos extortion,banks hacked 2020,impact of cyber attacks on banks,cyber attacks on financial institutions 2019