Security researchers Cybereason Nocturnus they discovered a new one malware, which has been used in many attacks with their goal customers of the largest e-commerce platform in Latin America. The researchers called the malware "Chaes”And said that it is used, mainly, for theft of financial information.
The researchers said that the main target of Chaes malware is Brazilian customers of the largest e-commerce company in the area, MercadoLivre. MercadoLivre is headquartered in Buenos Aires, Argentina and operates an online e-commerce platform as well as an auction platform.
Malware is targeting her brazilian site company and the MercadoPago payment page to steal customers' financial information. The final payload of Chaes is one Node.Js information stealer that steals data.
Researchers have recently discovered Chaes malware and observed that it is distributed mainly through Phishing emails, which they say in victims that their purchase from the MercadoLivre platform was successful. To make the message more convincing and more legitimate, hackers also attach a footnote that says "Avast has been scanned".
Phishing emails contain one malicious attachment file . Docx. Assaf Dahan, head of research at Cybereason, said the attachment utilizes "a template injection technique, using its built-in feature Microsoft Word for receiving a payload from a remote server ".
If a victim clicks on the file, the vulnerability for establish a connection to the attacker 's command-and-control (C2) server, as well as for download the first malicious payload, which is a .msi file.
This file develops one .vbs file (which is used to perform other procedures), as well as uninstall.dll and engine.bin, which act as the "machine" of malware. Also, three other files are installed, of hhc.exe, hha.dll and chaes1.bin, combining the main data of Chaes malware. The researchers also identified one cryptocurrency mining module.
The Chaes malware develops modules that appear as legal proceduresto steal system information, extract sensitive information from Google Chrome browser sessions, collect credentials for accounts and steal financial information.
The researchers focused on the potential of Chaes malware to open a Chrome session. The activity is monitored and controlled through the API hooking technique and the Node.js library Puppeteer. Chaes malware can also pull screenshots of MercadoLivre pages visited by the victims, and send them to C2.
"The worrying thing about this node.js-based malware is that most of this behavior is considered normal, as using the Puppeteer library for web scraping is not malicious in nature.", Says the research team. "Therefore, detecting such threats is much more difficult".
However, Chaes seems to be under development, as they have been identified as well Revised releases that directly target MercadoLivre e-commerce related pages.
Cybereason researchers check to see if Chaes malware is being used on attacks and other e-commerce platforms and warn of a “possible future trend in the use of the Puppeteer library for further attacks in large financial institutions ”.