18 November 2020

New Chaes malware targets customers of Latin America’s largest e-commerce platform


New Chaes malware targets customers of Latin America’s largest e-commerce platform

A new malware has been deployed in a campaign aimed at e-commerce customers in Latin America. Dubbed Chaes, the discovered threat is a multi-stage malware designed to harvest sensitive data, such as login credentials, credit card numbers and other financial information.

According to Cybereason Nocturnus researchers, the infostealing campaign is primarily focused on customers of Latin America’s largest e-commerce company, MercadoLivre.

“The Latin American cybercrime scene has evolved a great deal in recent years, with some of the more notorious malware variants gaining prominence in just the last year, including Grandoreiro, Ursa and Astaroth,” the researchers noted.

Chaes specifically targets the Brazilian website of e-commerce company MercadoLivre and its payment page MercadoPago to steal its customers’ financial information. The final payload of Chaes is a Node.Js information stealer that exfiltrates data using the node process.

Chaes is distributed via phishing emails that notify users that a MercadoLivre purchase has been successful. Upon opening a message, a connection with the attacker's command-and-control (C2) server is established, and the first malicious payload, an .msi file, is downloaded. This file, in turn, deploys invisible.vbs file used to execute other processes, as well as uninstall.dll and engine.bin, that both act as the malware's "engine" which downloads additional content and maintain its foothold on the infected machine.

Chaes is designed to steal sensitive information from the browser such as login credentials, credit card numbers, and other financial information from MercadoLivre website customers. The malware also can take screenshots of the infected machine, hook and monitor the Chrome web browser in order to collect user data from infected hosts.

“Chaes delivery consists of several stages that include use of LoLbins and other legitimate software, making it very challenging to detect by traditional AV products. Chaes also has multiple stages and is written in several programming languages including Javascript, Vbscript, .NET , Delphi and Node.js,” the researchers said.

They also noted that Chaes appears to be under active development, with its creators regularly equipping the malware with new capabilities.

Back to the list

Latest Posts

Hacker leaks usernames and passwords for nearly 50K vulnerable Fortinet VPN devices

Hacker leaks usernames and passwords for nearly 50K vulnerable Fortinet VPN devices

The data dump contains usernames, passwords, access levels, and the original unmasked IP addresses of users connected to the VPNs.
26 November 2020
FBI warns of spoofed FBI-related websites

FBI warns of spoofed FBI-related websites

Spoofed domains and email accounts could be used by foreign actors and cybercriminals to spread false information, deliver malware, or collect sensitive data.
25 November 2020
Chinese APT Mustang Panda resumes efforts to collect intel on Vatican

Chinese APT Mustang Panda resumes efforts to collect intel on Vatican

In the latest campaign the treat actor was observed using updated toolset in order to evade detection.
25 November 2020