Chae$ 4: The Evolution of a Cyberthreat
Chae$ 4 isn’t your run-of-the-mill Chaes malware variant. The earlier versions of Chaes stole information, primarily login credentials, from browsers. It could also capture screens, monitor browsers, and perform reconnaissance. Annoying, but nothing to write home about. Now, the endpoint security company Morphisec has discovered a new and advanced variant, Chae$ 4. This variant primarily targets the logistics and financial sectors, which means business.
The primary targets have been prominent platforms and banks, including Mercado Libre, Mercado Pago, WhatsApp Web, Itau Bank, Caixa Bank, and MetaMask. Additionally, many content management system (CMS) services, such as WordPress, Joomla, Drupal, and Magento, have also been compromised.
Along with targeting FinOps companies, Chase has undergone significant revamps, from a complete rewrite in Python, which led to decreased detection rates by traditional defense systems, to a full redesign with an enhanced communication protocol. The malware now also features a range of new modules that amplify its malicious capabilities.
Specifically, it now boasts:
- Enhanced code architecture and modularity.
- Increased encryption and stealth capabilities.
- Shift to Python for decryption and dynamic in-memory execution.
- Replacement of Puppeteer with a custom approach for monitoring Chromium browsers.
- Expanded target services for credential theft.
- Use of WebSockets for communication between modules and the C2 server.
- Implementation of domain generation algorithm (DGA) for dynamic C2 server address resolution.
The malware initiates with a deceptive MSI Windows installer, typically masquerading as a JAVA JDE installer or Antivirus software. Once executed, the malware deploys and downloads its required files, activating the core module, ChaesCore. This module sets persistence and migrates into targeted processes, subsequently starting its malicious activities.
During the investigation, Morphisec identified seven distinct modules, each with its unique functionalities. Notably, the threat actor displays a pronounced interest in cryptocurrency, evident from the clipper’s usage to steal BTC and ETH and the module that pilfers MetaMask crypto wallet credentials.
If you want to know more, check out Morphisec’s in-depth technical analysis
of Chae$ 4. Stay informed, stay safe.