In a research report, Israeli-based Morphisec said it observed a brand new version of malware known as Chaes.
This new version, named Chae$ 4, comes with “significant transformations and enhancements”, which include new means to steal credentials, and a way to steal clipboard data.
“The malware uses Google’s DevTools Protocol to connect to the current browser instance,” the researchers said. “This protocol allows direct communication with the inner browser’s functionality over WebSockets.” Through this protocol, the attackers can run scripts, intercept network requests, read POST bodies before encryption, and more, they added.
Chaes is hardly new. It’s been around for years, with first observations being recorded in 2020. Since then, it lived through numerous changes and upgrades, with the latest one also being the biggest one: “It has undergone major overhauls: from being rewritten entirely in Python, which resulted in lower detection rates by traditional defense systems, to a comprehensive redesign and an enhanced communication protocol,” Morphisec said.
Chaes’ operators, going by the name Lucifer, mostly target organizations in banking and logistics industries, located in Latin America. Most of their targets are Brazilian.
To infect their targets’ endpoints, the attackers would first compromise a website, and install a pop-up which would have the visitors download an installer for Java Runtime or an antivirus. This, in fact, would deliver a malicious MSI file, launching the first module for Chaes. It’s this module that later downloads additional payloads, depending on the attackers’ plans. Some modules steal extensive information about the victim’s device, others can steal credentials stored in the browser. Some can intercept financial payments (both fiat and crypto), and some can upload various sensitive data to the threat actors’ C2.