Avast researchers Anh Ho and Igor Morgenstern reported that ,” Chaes is separated by its multi-stage delivery, which employs scripting frameworks such as JScript, Python, and NodeJS, binaries written in Delphi and malicious Google Chrome extensions. ‘ Chaes’ ultimate goal is to steal credentials stored in Chrome and hijack logins to popular Brazilian banking websites.”
Chaes is a banking trojan that only operates in Brazil and was discovered by Cybereason in November 2020. Avast detected an increase in Chaes activity in Q4 2021, with infection attempts detected from over 66,605 of our Brazilian customers. During our investigation, we discovered that the malware is distributed through a large number of compromised websites, including well-known ones.
Avast discovered Chaes’ artefacts on over 800 websites. Over 700 of them have Brazilian TLDs. All of the compromised websites are WordPress sites, which leads us to believe that the attack vector could be the exploitation of WordPress CMS vulnerabilities. However, unable to conduct forensics to confirm this theory. We immediately reported our findings to the Brazilian CERT (BR Cert) in the hopes of preventing future incidents.
The info-stealing malware, first identified by Cybereason is delivered through a sophisticated infection chain designed to harvest sensitive consumer information such as login credentials, credit card numbers and other financial information.
Some of the intermediary payloads are not only encrypted, but they are also hidden as commented-out code within the HTML page of a Blogger blogspot domain (“awsvirtual[.]blogspot.com”). Finally, a JavaScript dropper downloads and installs up to five Chrome extensions ,
- Online – A Delphi module used to fingerprint the victim and transmit the system information to a command-and-control (C2) server.
- Mtps4 (MultiTela Pascal) – A Delphi-based backdoor whose main purpose is to connect to the C2 server and wait for a responding Pascal Script to execute.
- Chrolog (ChromeLog) – A Google Chrome password stealer written in Delphi.
- Chronodx (Chrome Noder) – A JavaScript trojan that, upon detecting the launch of Chrome browser by the victim, closes it immediately and reopens its own instance of Chrome containing a malicious module that steals banking information.
- Chremows (Chrome WebSocket) – A JavaScript banking trojan that records keypresses and mouse clicks on Chrome with the goal of plundering login credentials from users of Mercado Livre and Mercado Pago.
Avast stated that the attacks are still ongoing and that it had shared its findings with the Brazilian CERT in order to halt the spread of the malware. Nonetheless, Chaes-related artefacts can still be found on some of the infected websites.
Finally the researchers concluded that ,” Chaes exploits many WordPress-powered websites to serve malicious installers. The Google Chrome extensions are capable of stealing users’ Chrome credentials and collecting users’ banking information from popular banking websites.”
Indicator Of Compromise
SHA256 Hashes
| Filename | Hash |
| MSI installer | f20d0ffd1164026e1be61d19459e7b17ff420676d4c8083dd41ba5d04b97a08c |
| __init__.py | 70135c02a4d772015c2fce185772356502e4deab5689e45b95711fe1b8b534ce |
| runScript.js | bd4f39daf16ca4fc602e9d8d9580cbc0bb617daa26c8106bff306d3773ba1b74 |
| engine.js | c22b3e788166090c363637df94478176e741d9fa4667cb2a448599f4b7f03c7c |
| image | 426327abdafc0769046bd7e359479a25b3c8037de74d75f6f126a80bfb3adf18 |
| chremows | fa752817a1b1b56a848c4a1ea06b6ab194b76f2e0b65e7fb5b67946a0af3fb5b |
| chrolog | 9dbbff69e4e198aaee2a0881b779314cdd097f63f4baa0081103358a397252a1 |
| chronod | ea177d6a5200a39e58cd531e3effb23755604757c3275dfccd9e9b00bfe3e129 |
| online | 3fd48530ef017b666f01907bf94ec57a5ebbf2e2e0ba69e2eede2a83aafef984 |
| mtps4 | 5da6133106947ac6bdc1061192fae304123aa7f9276a708e83556fc5f0619aab |
–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin
CyberWorkx 