New Malware Stealing Data From E-commerce Sites
Researchers at Cybereason Nocturnus has documented about a new malware called Chaes, which is exploiting legitimate features for stealing sensitive data from users systems in Latin America. It’s seen specifically targeting MercadoLivre users, based in Latin America. The MercadoLivre is the largest e-commerce company based in Buenos Aires, Argentina, and has hundreds of millions of users registered into its platform. Researchers have initially discovered Chaes in late 2020, which was spreading through phishing emails as everyone. It’s found spreading a malicious document (.docx).
Threat actors have even set a “scanned by Avast” footnote to the document to make it look more legitimate. Researchers said the document uses Microsoft Word’s built-in feature to procure a payload from a remote server, as a template injection technique. Thus, upon clicking on the file, it would establish a connection with the attacker’s C2. This continues to bring a malicious payload in terms of .msi file, which in turn gets a .vbs file. This is used for executing other processes, and bring uninstall.dll and engine.bin, which act as the malware’s “engine.” Procuring payloads continue as three more files as hhc.exe, hha.dll and chaes1.bin are set up to combine the Chaes’s main components. Besides all these, researchers have noted a cryptocurrency mining module too. The malware also creates registry keys to attain persistence control to the malware’s engine. It will then deploy further modules for its actual purposes of stealing system information, harvesting login credentials for online accounts, extracting sensitive data from Google Chrome browser sessions, and to exfiltrate financial data, like that from MercadoLivre’s domain when users visit. Researchers also note about the Chaes’s ability to monitor the users’ activity through a Node.js library called Puppeteer. This will let attackers access the MercadoLivre and MercadoPago pages without users interaction. Further, it’s reported to take screenshots of MercadoLivre pages when visited and send them to the attacker’s C2.