Google Chrome Browser Compromised by Chaes Banking Trojan

A trojan referred to as Chaes is infiltrating Google Chrome browsers.  The banking trojan hijacks the web browser through extensions.  The hackers behind this malware designed it to steal money and financial-related details from targeted websites.

What Sites Does Chaes Target?

As of late January, Chaes has primarily targeted WordPress websites.  All in all, Chaes has infiltrated 800+ such sites.  The sites in questions are based in Brazil.  To be more specific, Chaes zeroes in on Brazilian customers of Mercado Livre, Mercado Bitcoin, Banco do Brasil, Mercado Pago, and Loja Integrada.

How is the Attack Performed?

  
This unique cyber-attack has a multi-stage delivery that employs scripting frameworks ranging from NodeJS to Python and Jscript, Delphi binaries, and harmful web browser extensions.  The aim of the attack is to steal login credentials within computer users’ Chrome web browsers as well as the login information of Brazil’s most popular banking sites. 
  
The digital attack occurs when users visit an infected website.  It is at this point that a pop-up appears, directing the user to install a supposedly beneficial Java Runtime application.  However, the truth is this application is fake.  If the target user proceeds through the instructions, the installer triggers an elaborate routine to transmit the malware, resulting in the issuance of multiple modules. 
  
The Chaes attack is covert as intermediary payloads are fully encrypted and concealed within the HTML page’s commented-out language.  Once the final stage is reached, the JavaScript dropper transmits upwards of nearly half a dozen Google Chrome extensions.

What Extensions are Used in the Attack?

  
At the moment, digital security specialists are aware of five distinct extensions used in the Chaes attack.  The Chrolog extension, also referred to as the ChormeLog extension, steals Google Chrome passwords in Delphi.  The online extension is a Delphi module that fingerprints victims and sends the system information to the server.   
  
The Chronodx extension, also known as the Chrome Noder, is a JavaScript trojan that closes the Chrome browser after detecting its launch only to reopen the browser with a harmful module that extracts the target’s banking details.  The Chremows extension, also referred to as the Chrome WebSocket extension, is a banking trojan within JavaScript that logs the user’s clicks and keystrokes while using Chrome with the overarching aim of stealing login credentials.  
 

The Mtps4 extension, also referred to as the MultiTela Pascal extension, is a Delphi backdoor with the primary aim of connecting to C2 servers and waiting for Pascal Scripts to respond for execution.

What Type of Information is Stolen?

  
As explained by Cybereason in the winter of 2020, Chaes steals data with the use of a complex infection chain designed to capture valuable consumer information.  The trojan steals credit card numbers, login credentials, sensitive information pertaining to consumer identities, and additional financial information.

What Actions are Being Taken to Mitigate Chaes?

  
Avast’s digital security professionals are working with the Brazilian CERT to prevent the spread of Chaes malware throughout the country and the rest of the world.  However, these groups have not yet figured out how to stop Chaes or its artifacts from compromising target websites.