The original Chae$ malware was identified in September 2023, and its latest version, dubbed Chae$ 4.1, employs advanced code polymorphism to bypass antivirus detection.
Morphisec Threat Labs has documented its findings on Chae$ 4.1, an update to the Chae malware Infostealer series, as part of its investigation of emerging cyber threats. The report explores the new Chae$ variant, highlighting its mechanics, implications, and safeguarding measures.
Back in September 2023, Morphisec shared its analysis on a new variant of Chae$ malware, dubbed Chae$4 with Hackread.com. The malware targeted login credentials, financial data, and other sensitive information of e-commerce customers particularly in Brazil.
Chae$4 was quickly evolving, and in its latest research blog, Morphisec provided details on the updates in Chae$ 4.1, which includes an improved Chronod module and surprisingly, a direct message to the Morphisec team within the source code. Version 4.1 is a significant improvement over previous brute force and basic obfuscation methods.
The infection chain begins with an email in the Portuguese language, claiming to be an urgent request from a lawyer concerning a legal case. The victim is then redirected to a deceptive website, (totalavprotectionshop/abrirProcesso.php?email=), where they are prompted to download a ZIP file. This website also functions as a deceptive website for TotalAV, directly delivering the MSI installer without the intermediary step of a ZIP file.
Once the scanning is complete, the attacker sends a message stating “Security Risk Detected” and prompts the victim to download an updated driver to eliminate the risk. The unsuspecting victim clicks on the button, which triggers a script named download.js to run the malicious installer.
With the installer activated, Chae$ 4.1 also gets triggered, and from this point, the attack chain follows a similar path as Morphisec discovered in previous analyses except for some advancements in the Chae$ framework, such as modifications in the Chronod module. After successful activation, exfiltrated data is delivered to the threat actor’s C2 and the Chae$ team panel login page.
The Chronod module intercepts user activity to steal information like login credentials and banking information. It spans over 2,000 lines of code and has been adjusted to steal credentials from specific services like WhatsApp, AWS, and WordPress. In version 4.1, the Chae$ team rewrote the module to be more generic and modular, dividing the logic into several classes instead of one class responsible for all functionality.
Chae$ 4.1 also employs advanced code polymorphism to bypass antivirus detection, and detect sandbox environments, raising concerns about its potential impact on users.
To stay safe, regularly update your operating system and software, use a layered security solution with advanced malware detection, be cautious when clicking on suspicious links or opening attachments, and regularly back up critical data. Staying informed and adopting robust security practices can help protect against cyberattacks.
- Fake Symantec Blog Caught Spreading Proton macOS Malware
- Hackers send explicit messages to riders on hacked e-scooters
- Scammers Distribute Malware to Drivers in Speeding Ticket Scam
- iPhone Spyware Exploits Obscure Chip Feature, Targets Researchers
- Fake PoC Script Used to Trick Researchers into Downloading VenomRAT