Chaes Banking Trojan Invade Chrome Browser And Installs Malware Extensions.
Avast researchers Anh Ho and Igor Morgenstern reported that ,” Chaes is separated by its multi-stage delivery, which employs scripting frameworks such as JScript, Python, and NodeJS, binaries written in Delphi and malicious Google Chrome extensions. ‘ Chaes’ ultimate goal is to steal credentials stored in Chrome and hijack logins to popular Brazilian banking websites.”
Chaes is a banking trojan that only operates in Brazil and was discovered by Cybereason in November 2020. Avast detected an increase in Chaes activity in Q4 2021, with infection attempts detected from over 66,605 of our Brazilian customers. During our investigation, we discovered that the malware is distributed through a large number of compromised websites, including well-known ones.
Avast discovered Chaes’ artefacts on over 800 websites. Over 700 of them have Brazilian TLDs. All of the compromised websites are WordPress sites, which leads us to believe that the attack vector could be the exploitation of WordPress CMS vulnerabilities. However, unable to conduct forensics to confirm this theory. We immediately reported our findings to the Brazilian CERT (BR Cert) in the hopes of preventing future incidents.
The info-stealing malware, first identified by Cybereason is delivered through a sophisticated infection chain designed to harvest sensitive consumer information such as login credentials, credit card numbers and other financial information.
Online – A Delphi module used to fingerprint the victim and transmit the system information to a command-and-control (C2) server.
Mtps4 (MultiTela Pascal) – A Delphi-based backdoor whose main purpose is to connect to the C2 server and wait for a responding Pascal Script to execute.
Chrolog (ChromeLog) – A Google Chrome password stealer written in Delphi.
Avast stated that the attacks are still ongoing and that it had shared its findings with the Brazilian CERT in order to halt the spread of the malware. Nonetheless, Chaes-related artefacts can still be found on some of the infected websites.
Finally the researchers concluded that ,” Chaes exploits many WordPress-powered websites to serve malicious installers. The Google Chrome extensions are capable of stealing users’ Chrome credentials and collecting users’ banking information from popular banking websites.”