New Chaes malware is targeting banks & industries

Threat actors are always on the lookout for new means to gain unauthorized access and steal money. Now, according to a new report from cybersecurity firm Morphisec, threat actors have developed a new strain of malware known as Chaes 4, which utilizes Google’s DevTools Protocol to illicitly gather data from its victims.

Originally identified as malware targeting e-commerce customers in Latin America, the latest iteration of Chae$ 4 introduces new techniques for extracting credentials and employs a sophisticated approach to intercept clipboard data. Additionally, the malware’s reliance on Google’s DevTools Protocol signifies a strategic shift in its tactics, providing direct access to a victim’s browser and an array of intrusive capabilities.

How does the attack work?

According to the report, when a potential victim visits a compromised website, the threat actors present a deceptive pop-up message, enticing them to download an installer for Java Runtime or an antivirus solution. Upon installation, the malware deploys a malicious MSI file, which subsequently initiates a core module known as “ChaesCore.”

From there, ChaesCore establishes a communication channel with the command-and-control (C2) server and retrieves additional modules, which allow the malware to gather comprehensive information about the victim’s device, and extract stored credentials from the browser. To make matters worse, certain modules are even capable of intercepting financial transactions on the victim’s device, thus posing a significant risk.

Who is behind the Chaes malware attacks?

In early 2022, security experts at Avast traced these attacks back to a group known as “Lucifer,” which primarily targets organizations in the banking and logistics sectors. However, it is important to note that these threat actors, with over 800 compromised WordPress websites, are currently focusing on Latin America, particularly Brazil.

“It has a specific focus on customers of prominent platforms and banks such as Mercado Libre, Mercado Pago, WhatsApp Web, Itau Bank, Caixa Bank, and even MetaMask. Furthermore, dozens of CMS (Content Management) services haven’t been spared either, including WordPress, Joomla, Drupal and Magento,” reads the report.