Sunday, January 24, 11:22
Home security Chaes malware: Targets e-commerce platform customers

Chaes malware: Targets e-commerce platform customers

Security researchers Cybereason Nocturnus they discovered a new one malware, which has been used in many attacks with their goal customers of the largest e-commerce platform in Latin America. The researchers called the malware "Chaes”And said that it is used, mainly, for theft of financial information.

Chaes malware

The researchers said that the main target of Chaes malware is Brazilian customers of the largest e-commerce company in the area, MercadoLivre. MercadoLivre is headquartered in Buenos Aires, Argentina and operates an online e-commerce platform as well as an auction platform.

Malware is targeting her brazilian site company and the MercadoPago payment page to steal customers' financial information. The final payload of Chaes is one Node.Js information stealer that steals data.

Researchers have recently discovered Chaes malware and observed that it is distributed mainly through Phishing emails, which they say in victims that their purchase from the MercadoLivre platform was successful. To make the message more convincing and more legitimate, hackers also attach a footnote that says "Avast has been scanned".

Phishing emails contain one malicious attachment file . Docx. Assaf Dahan, head of research at Cybereason, said the attachment utilizes "a template injection technique, using its built-in feature Microsoft Word for receiving a payload from a remote server ".

If a victim clicks on the file, the vulnerability for establish a connection to the attacker 's command-and-control (C2) server, as well as for download the first malicious payload, which is a .msi file.

This file develops one .vbs file (which is used to perform other procedures), as well as uninstall.dll and engine.bin, which act as the "machine" of malware. Also, three other files are installed, of hhc.exe, hha.dll and chaes1.bin, combining the main data of Chaes malware. The researchers also identified one cryptocurrency mining module.


The Chaes malware develops modules that appear as legal proceduresto steal system information, extract sensitive information from Google Chrome browser sessions, collect credentials for accounts and steal financial information.

The researchers focused on the potential of Chaes malware to open a Chrome session. The activity is monitored and controlled through the API hooking technique and the Node.js library Puppeteer. Chaes malware can also pull screenshots of MercadoLivre pages visited by the victims, and send them to C2.

"The worrying thing about this node.js-based malware is that most of this behavior is considered normal, as using the Puppeteer library for web scraping is not malicious in nature.", Says the research team. "Therefore, detecting such threats is much more difficult".

However, Chaes seems to be under development, as they have been identified as well Revised releases that directly target MercadoLivre e-commerce related pages.

Cybereason researchers check to see if Chaes malware is being used on attacks and other e-commerce platforms and warn of a “possible future trend in the use of the Puppeteer library for further attacks in large financial institutions ”.

Source: ZDNet


Please enter your comment!
Please enter your name here

Digital Fortress
Digital Fortress
Pursue Your Dreams & Live!


Instagram: How to enable notifications for specific profiles

There are some profiles on Instagram where you want to see the content they publish as soon as possible - it can be a news ...

NASA's historic launch pad is to be demolished

NASA's famous Mobile Launcher Platform-2 launch platform, which has been linked to the Apollo and Space Shuttle missions, ...

Elon Musk: Gives $ 100 million for best CO2 capture technology Ο Elon Musk δήλωσε χθες, στο λογαριασμό του στο Twitter, ότι σκοπεύει να δώσει 100 εκατομμύρια...

How can you unblock sites and services using a VPN?

The Internet is free and open to all. However, there are some sites and services whose content is blocked, which ...

Google Chrome: How to manage your extensions?

Google Chrome extensions can be very useful, as they improve your productivity when using the browser.

Intel CPUs Review: Core i7-10700 vs Core i7-10700K!

Over the years, the Intel series of processors (CPUs) introduced the series of overclocking models "K" and more recently the series ...

The DeLorean can return as an electric car

The DMC DeLorean has been out of production for almost 40 years, but it looks like the iconic vehicle will return as an electric car.

Windows RDP servers are used to support DDoS

Cybercrime gangs are abusing Windows Remote Desktop Protocol (RDP) systems to reinforce the unwanted ...

SEPA: He refused to pay a ransom and thousands of files were leaked

Thousands of stolen files of the Scottish Environmental Protection Agency (SEPA) have been published by hackers, after the organization refused to pay the ransom ...

Fines at Valve, Capcom and Zenimax for geo-exclusion of games

Following a European Commission investigation, a group of video game publishers was fined € 7,8 million following allegations of geo-exclusion practices. In...