As the world of cyber threats evolves at an astonishing pace, staying ahead of these digital dangers becomes increasingly critical for businesses.

In January 2023, Morphisec identified an alarming trend where numerous clients, primarily within the logistics and financial sectors, were under the onslaught of a new and advanced variant of Chaes malware. The sophistication of the threat was observed to increase over multiple iterations from April to June 2023.

Thanks to Morphisec's cutting-edge technology, many of these attacks were thwarted before causing significant damage. 

This isn't just any ordinary Chaes variant. It has undergone major overhauls: from being rewritten entirely in Python, which resulted in lower detection rates by traditional defense systems, to a comprehensive redesign and an enhanced communication protocol. Additionally, it now boasts a suite of new modules that further its malicious capabilities. 

The targets of this malware are not random. It has a specific focus on customers of prominent platforms and banks such as Mercado Libre, Mercado Pago, WhatsApp Web, Itau Bank, Caixa Bank, and even MetaMask. Furthermore, dozens of CMS (Content Management) services haven't been spared either, including WordPress, Joomla, Drupal, and Magento.

It is important to note that the Chaes malware isn't entirely new to the cybersecurity landscape. Its first appearance dates back to November 2020, when researchers from Cybereason highlighted its operations primarily targeting e-commerce customers in Latin America. 

In November 2020, Cybereason released its initial research on the Chaes malware. The report highlighted that the malware had been active since at least mid-2020, predominantly targeting e-commerce customers in Latin America, especially Brazil.

This latest iteration of Chaes unveils significant transformations and enhancements, and is labeled by Morphisec as version 4.  

Significant changes include refined code architecture and improved modularity, an expanded catalog of services targeted for credential theft, implementation of DGA for dynamic resolution of the C2 server's address, and more.

The infection starts by executing a malicious, almost undetected, MSI installer that usually pretends to be a JAVA JDE installer or Anti-Virus software installer. Execution of the malicious installer will cause the malware to deploy and download its required files inside a dedicated and hard-coded folder.

Image - Reuters