A new variant of the Chaes malware identified as "Chae$4" was found targeting the banking and logistics industries, as well as major content management platforms.
In a blog post Sept. 5, Morphisec researchers said Chae$ 4 has targeted customers of prominent platforms and banks such as Mercado Libre, Mercado Pago, WhatsApp Web, Itau Bank, Caixa Bank, and MetaMask.
Dozens of content management services have also been hit, including WordPress, Joomla, Drupal, and Magento. Morphisec said it was able to block many of these attacks before they caused too much damage.
The researchers also pointed out in the blog that the Chaes malware isn't entirely new. Its first appearance dates back to November 2020, when researchers from Cybereason highlighted its operations primarily targeting e-commerce customers in Latin America.
Over the years, the Chaes malware has undergone major overhauls: this new fourth version features a refined code architecture and improved modularity; added layers of encryption and increased stealth capabilities; and a shift to Python, which results in lower detection rates by traditional defense systems.
“Chae$4’s success lies in its focused targeting approach,” said Michael Gorelik, chief technology officer at Morphisec. “The malware’s adaptive and continuously changing framework empowers hackers to maintain a strategic advantage over defenders that are mostly stagnant. With precision targeting of victims and a low-profile approach, these campaigns flourish unnoticed, aided by Python's rising popularity as the attacker’s preferred tool.”
Andrew Barratt, vice president at Coalfire, said he thought Chae$ 4 was a nasty piece of malware that appears to directly prey on vulnerable users with an initial access technique that attackers can easily trigger via some paid ads across syndicated websites. Barratt said the breadth of its capabilities is a further nod to this, looking for anything it can get its digital fingers around.
“This could be inadvertently installed by a home user on a shared PC, which then exposes another user to the same threat,” said Barratt. “It’s also very possible that the reengineering of the malware has been part of a broader attempt to sell this to organized crime groups as part of a malware-as-a-service offering.
Barratt added that the malware’s modular nature would support this approach, too, as the existing modules can act as a proof-of-value to one organized crime group, and then those targeting banking credentials or sites specifically could be "plugged" to a different demographic.
“This is certainly one to watch as the targets of infection are probably non-corporate users, but it will be the enterprise organizations that foot the bill for either fraudulent transactions or the cost of supporting their users to further defend themselves,” explained Barratt.