Chaes Malware

The researchers identified a new strain of malware deployed in a widespread attack campaign targeting users in the Latin America region. Named Chaes, the malware acts as an infostealer that has been designed to mainly focus on the users of the region's largest e-commerce entity MercadoLibre. Established back in 1999 and headquartered in Buenos Aires, Argentina, MercadoLibre had an estimated user count of over 320 million at the end of 2019.

The threat actors behind the Chaes Malware have established a complex, multi-stage attack chain for their threat. The first step is to disseminate the malware threat through phishing emails carrying weaponized Word documents. The emails are intended to appear as if they are sent by MercadoLibre as a confirmation of a previously made purchase. To further add to the pretense of legitimacy, the emails carry a footnote stating that they have been scanned by a security application.

When the user triggers the corrupted Word document, it results in a first-stage payload being dropped on the compromised machine through a template injection technique that establishes a connection with the attacker's Command-and-Control infrastructure. This initial component is responsible for the subsequent delivery of a .vbs file, which is required for the execution of other processes, and the two components that coordinate Chaes Malware's activities named 'uninstall.dll' and 'engine.bin.' Several threatening components also are deployed on the compromised system including a crypto miner.

When fully established, the Chase Malware possesses a large array of threatening capabilities. The threat can harvest system information, as well as sensitive data from Google Chrome sessions, collect login credentials and arbitrarily start Chome sessions. This ability is powerful incredibly, as the malware threat can access the MercadoLibre and MercadoPago pages without the user's consent. The Chaes Malware also can take screenshots of the opened pages. All of the private data obtained by Chase Malware will then be exfiltrated to the Command-and-Control infrastructure of the attackers.