A new malware has been deployed in a campaign aimed at e-commerce customers in Latin America. Dubbed Chaes, the discovered threat is a multi-stage malware designed to harvest sensitive data, such as login credentials, credit card numbers and other financial information.
According to Cybereason Nocturnus researchers, the infostealing campaign is primarily focused on customers of Latin America’s largest e-commerce company, MercadoLivre.
“The Latin American cybercrime scene has evolved a great deal in recent years, with some of the more notorious malware variants gaining prominence in just the last year, including Grandoreiro, Ursa and Astaroth,” the researchers noted.
Chaes specifically targets the Brazilian website of e-commerce company MercadoLivre and its payment page MercadoPago to steal its customers’ financial information. The final payload of Chaes is a Node.Js information stealer that exfiltrates data using the node process.
Chaes is distributed via phishing emails that notify users that a MercadoLivre purchase has been successful. Upon opening a message, a connection with the attacker's command-and-control (C2) server is established, and the first malicious payload, an .msi file, is downloaded. This file, in turn, deploys invisible.vbs file used to execute other processes, as well as uninstall.dll and engine.bin, that both act as the malware's "engine" which downloads additional content and maintain its foothold on the infected machine.
Chaes is designed to steal sensitive information from the browser such as login credentials, credit card numbers, and other financial information from MercadoLivre website customers. The malware also can take screenshots of the infected machine, hook and monitor the Chrome web browser in order to collect user data from infected hosts.
“Chaes delivery consists of several stages that include use of LoLbins and other legitimate software, making it very challenging to detect by traditional AV products. Chaes also has multiple stages and is written in several programming languages including Javascript, Vbscript, .NET , Delphi and Node.js,” the researchers said.
They also noted that Chaes appears to be under active development, with its creators regularly equipping the malware with new capabilities.