Morphisec, a cybersecurity firm, has recently discovered a new and advanced malware variant known as Chae$4, which specifically targets customers of financial and logistics companies in Latin America. The emergence of this evolved malware raises concerns about the safety and security of sensitive information for businesses and individuals operating in the region.
The Chaes malware was first detected in November 2020, primarily targeting e-commerce customers in Latin America, with Brazil being the main focus. Since its initial appearance, the malware has been active for several months, targeting unsuspecting victims and causing significant damage. However, the latest variant, Chae$4, represents a significant advancement in its capabilities, making it extremely difficult to detect.
According to a report shared by Morphisec with Hackread.com, the Chae$4 malware employs sophisticated encryption techniques and stealth mechanisms, making it challenging for traditional defense systems to detect and neutralize. The malware primarily uses Python and utilizes decryption and dynamic in-memory execution, effectively evading common security measures. In addition, Chae$4 has abandoned Puppeteer, a popular tool, in favor of a customized approach to monitor and intercept Chromium browsers’ activities.
One of the notable features of Chae$4 is its broader range of targets. It now focuses on prominent platforms and banks in Latin America, including Mercado Libre, Mercado Pago, WhatsApp Web, Itau Bank, Caixa Bank, and even MetaMask. By targeting these high-profile platforms, the malware poses a significant threat to the financial and personal information of users.
Chae$4 employs WebSockets as the primary communication method between its modules and the Command and Control (C2) server. Additionally, it utilizes a Domain Generation Algorithm (DGA) for the dynamic resolution of the C2 server’s address. This helps the malware maintain persistence and evade detection by frequently changing its communication channels.
The Chae$4 malware consists of several modules, each serving a specific purpose. These modules include the Init Module, responsible for initiating communication with the attacker and gathering extensive system data, the Online Module, which functions as a beacon to inform the attacker of the infected system’s activity status, and the Chronod Module, designed to steal credentials by targeting browser activities and financial information such as BTC, ETH, and PIX transfers.
Furthermore, the Chae$4 malware includes modules such as Appita, Chrautos, Stealer, and File Upload. Each module has its own functions, including targeting specific banks, stealing data from Chromium-based browsers, and uploading specific files related to the MetaMask Chrome extension.
The infection process typically begins with the execution of a malicious MSI installer, disguised as a legitimate application installer. Once the malware is deployed, it downloads necessary files and establishes persistence on the infected system. ChaesCore, the core component of the malware, is responsible for setting up persistence and migrating into legitimate processes. Once initialized, ChaesCore communicates with the C2 server and downloads additional modules as required. To hide its activities, the communication is encrypted.
In light of the advanced capabilities and potential risks associated with Chae$4, businesses and individuals should take proactive measures to protect themselves. It is crucial to stay informed about the latest information regarding the malware, as it is still under development and may evolve with new features and functionalities in the future. While Chae$4 primarily targets a specific region, there is a possibility that it could be used to target other regions in the future, emphasizing the importance of maintaining up-to-date security measures.
To mitigate the risks posed by Chae$4, businesses should consider implementing comprehensive cybersecurity strategies. This includes using advanced threat detection and prevention solutions, regularly updating security software, educating employees about the importance of cybersecurity practices, and conducting periodic security audits.
As cyber threats continue to evolve and become more sophisticated, it is essential for organizations and individuals alike to remain vigilant and take proactive steps to safeguard their critical data and systems. By staying informed about emerging threats like Chae$4 and implementing robust security measures, businesses can mitigate the potential impact of cyberattacks and protect their valuable information from falling into the wrong hands.