Avast IT security researchers discovered that a malware campaign compromised over 800 WordPress sites to deliver a trojan dubbed Chaes. This malware uses infected Google Chrome extensions to drain victims’ bank accounts.
Definitely, not a day goes by without mentioning a new malware. While the French Ministry of Justice has been targeted by ransomware, it is the turn of the customers of many Brazilian banks to be targeted by a new cyberattack.
As Avast computer security researchers point out, this campaign uses malware called Chaes. It has already infected no less than 800 WordPress websites and continues to spread thanks to them. It is a malware specialized in information theft via a particularly sophisticated chain of infection.
“Chaes is characterized by a multi-step delivery that uses scripting frameworks such as JScript, Python and NodeJS, binaries written in Delphi (ndrl: a programming language) and malicious Google Chrome extensions”, explain Anh Ho and Igor Morgensten, researchers at Avast. “Chaes’ ultimate goal is to steal credentials stored in Chrome and intercept logins from popular banking sites in Brazil”.
Also read: Powerpoint hackers use Microsoft software to spread malware
Chaes malware hijacks Chrome to ruin its victims
Here is the modus operandi of Chaes: the attack sequence is triggered when users visit one of the infected websites. A pop-up appears and prompts them to install a fake JavaRuntime application. If the target follows the instructions, the malicious installer launches a complex malware delivery routine that results in the deployment of multiple modules. These modules are precisely these malicious extensions of Chrome. Here is their name and role in detail:
- Online: a Delphi module used to fingerprint the victim and transmit system information to a command and control server
- Mtps4: a Delphi-based backdoor whose main task is to connect to the C2 server and wait for a responding Pascal script to execute
- Chrolog: a Google Chrome password stealer written in Delphi
- Chremows: Javascript banking trojan that logs keyboard presses and mouse clicks on Chrome in an attempt to steal user information
Avast claims that this campaign is still ongoing, and in fact, the experts shared their findings with the Brazilian CERTthe government center for monitoring, alerting and responding to computer attacks.
Source: TheHackerNews
