A new variant of the Chaes malware [1] [2] [5] [6], known as Chae$4, has emerged as a significant threat to the banking and logistics industries in Latin America, particularly in Brazil [5]. This variant specifically targets customers of financial and logistics companies in the region [6], with a primary focus on Brazilian customers of MercadoLivre [4], the largest e-commerce company in Latin America [1] [3] [4] [7].
Description
Chae$4 is an advanced variant of the Chaes malware that poses a significant threat to the banking and logistics industries in Latin America, especially in Brazil. It specifically targets customers of financial and logistics companies in the region [6], with a primary focus on Brazilian customers of MercadoLivre [4]. This variant has successfully evaded detection by traditional defense systems due to its sophisticated code structure [2], advanced encryption techniques [1] [6], and stealth mechanisms [1] [6]. It has undergone major overhauls [5], including being rewritten in Python to lower detection rates [5]. The threat actors behind the operation [5], known as Lucifer [5] [7], have breached over 800 WordPress websites to deliver the malware [5] [7].
The latest iteration of Chae$4 includes significant transformations and enhancements [5]. It has an expanded catalog of services targeted for credential theft and uses various modules to gather system information [5], steal login credentials [3] [4] [5] [6], intercept payment transfers [5], and collect data from specific apps and platforms [5]. Chae$4 persists on the host through scheduled tasks and communicates with a command-and-control server using WebSockets [5]. It also alters shortcut files associated with web browsers to execute its modules [5].
Notably, Chae$4 now also targets cryptocurrency transfers and instant payments via Brazil’s PIX platform [5], highlighting the threat actors’ financial motivations [5]. This development may indicate a future trend in using the Puppeteer library for attacks on major financial institutions [3]. The malware consists of multiple modules [6], each with a specific purpose such as stealing credentials and data from Chromium-based browsers [6]. The infection begins with the execution of a malicious MSI installer disguised as a legitimate application installer [6]. Once installed [6], the malware establishes persistence on the infected system by deploying and downloading necessary files [6]. The core component [6], ChaesCore [6], is responsible for setting up persistence and migrating into legitimate processes [6].
The increase in online shopping due to the COVID-19 pandemic has made e-commerce platforms a lucrative target for cybercriminals [4]. The Latin American cybercrime scene has seen the emergence of other notable malware variants in recent years [4], including Grandoreiro [4], Ursa [4], and Astaroth [1] [4] [6]. Researchers have discovered that Chae$4 primarily targets e-commerce customers in Latin America, including prominent platforms and banks such as Mercado Libre [1], Mercado Pago [1] [7], WhatsApp Web [1], Itau Bank [1], Caixa Bank [1], and MetaMask [1]. Chae$4 is particularly challenging to detect as it employs decryption and dynamic in-memory execution [1], making it even more dangerous for e-commerce customers in the region [1].
Conclusion
The emergence of Chae$4 as a significant threat to the banking and logistics industries in Latin America, particularly in Brazil [5], highlights the need for enhanced cybersecurity measures. The malware’s ability to evade detection and its targeting of e-commerce customers, including prominent platforms and banks [1] [6], poses a serious risk to the region’s financial and logistical sectors. Mitigating this threat requires a multi-layered approach, including robust defense systems, regular security updates, and user education. Additionally, the targeting of cryptocurrency transfers and instant payments via Brazil’s PIX platform suggests a potential future trend in attacks on major financial institutions. It is crucial for organizations and individuals to remain vigilant and proactive in protecting their systems and data from evolving cyber threats.
References
[1] https://thecyberthrone.in/2023/09/06/chae4-malaware-targets-financial-institutions/
[2] https://www.linkedin.com/pulse/new-python-based-chaes-malware-variant-targets-banking-ahmed-osama
[3] https://www.zdnet.com/article/chaes-malware-strikes-customers-of-latin-americas-largest-e-commerce-platform/
[4] https://www.cybereason.com/threat-alert-chaes-e-commerce-malware
[5] https://thehackernews.com/2023/09/new-python-variant-of-chaes-malware.html
[6] https://www.hackread.com/chae4-malware-steals-login-financial-data/
[7] https://beker.uk/2023/09/05/new-python-variant-of-chaes-malware-targets-banking-and-logistics-industries/
