VTA-004462 – Chae$ 4: New Chaes Malware Variant Targeting Financial and Logistics Customers

The Chae$ 4 malware was first detected early on in January 2023 by Morphisec when they noticed that there were numeral attacks launched at the logistics and financial customers. The attacks carried on and was observed to increase over multiple iterations from April to June 2023.

The “4” in the name represents the 4th variant of the malware, as Chaes has a decent history with their malware. Chaes’ first variant was first active mid-2020, primarily targeting E-Commerce users in Latin Amerca, primarily Brazil. The most recent variant, Chae$ 4, brought significant changes to how the malware functioned. Chaes refined their coding architecture, improved modularity, added layers of encryption and also increased their stealth capabilities. To achieve this, they shifted to Python which undergoes decryption and dynamic in-memory execution.

The malware gets it’s initial access to the victim’s system through compromised websites, even credible websites. The compromised websites were all WordPress websites, Chaes exploited a vulnerability in WordPress CMS. When a user enters one of the compromised websites, they are greeted with a Java pop up, asking them to install a Java Runtime application. The fake Java MSI is identical when it comes to the appearance and behavior of the installer. Once the user runs the installer, the malware starts to deploy and install the required files inside a hard coded folder within the appdata folder. The folder includes Python libraries, Python executables, encrypted files and Python scripts that the malware will utilize later on. The malware then unpacks the core module which is known as ChaesCore, which is used for setting persistence using Scheduled Tasks and migrating into targeted processes. After that, ChaesCore communicates with the C2 address in order to download and load external modules into the infected system. After Chaes has been installed into the system, all web credentials, history, user profiles stored by Chrome will be sent to attackers.

Severity:
Medium

Technical Impact Analysis
Loss of Availability, Loss of Confidentiality

Business Impact Analysis
Financial Damage, Privacy Violation, Reputation Damage

Attack Surfaces:
Endpoint, Web Browser

Tactics:
Collection, Command and Control, Credential Access, Defense Evasion, Execution, Exfiltration, Initial Access, Persistence

Techniques:
T1071 Application Layer Protocol
T1547 Boot or Logon Autostart Execution
T1185 Browser Session Hijacking
T1091 Phishing
T1059 Command and Scripting Interpreter
T1132 Data Encoding
T1140 Deobfuscate/Decode Files or Information
T1573 Encrypted Channel
T1048 Exfiltration over alternative protocol
T1574 Hijack Execution Flow
T1105 Ingress Tool Transfer
T1056 Input Capture
T1036 Masquerading
T1112 Modify Registry
T1106 Native API
T1027 Obfuscated Files or Information
T1053 Scheduled Task/Job
T1176 Browser Extensions
T1113 Screen Capture
T1555 Credentials from Password Stores
T1029 Scheduled Transfer

References:
https://decoded.avast.io/anhho/chasing-chaes-kill-chain/

SuperPRO’s Threat Countermeasures Procedures: 
1. Keep all software and systems up to date with the latest patches and updates to minimize the risk of exploitation.
2. Provide cybersecurity awareness training to employees to educate them about the risks of phishing attacks and social engineering techniques.
3. Regularly backup critical data and ensure that backups are stored securely.
4. Employ strong security measures such as firewalls, intrusion detection systems, and antivirus software to detect and prevent unauthorized access and malware infections.
5. Divide your network into smaller, isolated segments, each with its own set of security controls. This helps to contain the impact of a potential breach and limits an attacker’s ability to move laterally.
6. Follow least privilege access in granting access only to the resources and systems that are necessary for each user or system.
7. Deploy security tools such as SIEM (Security Information and Event Management) to detect and analyze network traffic.
8. Enforce strong access controls, including multi-factor authentication and strong passwords, to prevent unauthorized access to systems and resources.
9. Regularly perform penetration testing to identify any vulnerabilities or weaknesses in your network.

Contributed by: Sherman