Previously unknown malware has been detected in widespread attacks against e-commerce customers in Latin America.
The malware, dubbed Chaes by Cybereason Nocturnus researchers, is being deployed by a threat actor across the LATAM region to steal financial information.
In a blog post on Wednesday, the cybersecurity team said Brazilian customers of the area’s largest e-commerce company, MercadoLivre, are the focus of the infostealing malware.
See also: Lazarus group strikes cryptocurrency firm through LinkedIn job adverts
Headquartered in Buenos Aires, Argentina, MercadoLivre operates both an online marketplace and auctions platform. In 2019, an estimated 320.6 million users were registered with the e-commerce giant.
First detected in late 2020 by Cybereason, Chaes is spread via phishing campaigns, in which emails claim that a MercadoLivre purchase has been successful. To try and increase the email’s look of legitimacy, the threat actors also appended a “scanned by Avast” footnote.
The messages contain a malicious .docx file attachment. Assaf Dahan, Cybereason Head of Threat Research, told ZDNet the attachment leverages “a template injection technique, using Microsoft Word’s built-in feature to fetch a payload from a remote server.”
If a victim clicks the file, the vulnerability is used to establish a connection with the attacker’s command-and-control (C2) server, as well as download the first malicious payload, an .msi file.
This file then deploys a .vbs file used to execute other processes, as well as uninstall.dll and engine.bin, that both act as the malware’s “engine.” A further trio of files — hhc.exe, hha.dll and chaes1.bin — are installed that stitch together Chaes’s main components. A cryptocurrency mining module was also recorded.
Chaes creates registry keys to maintain persistence for the malware’s main engine and will deploy modules disguised as legitimate processes in order to steal system information, extract sensitive information from Google Chrome browser sessions, harvest login credentials for online accounts, and exfiltrate financial information; in particular, when the MercadoLivre domain is visited.
Of particular note is Chaes’ ability to open a Chrome session. Activity is monitored and controlled through API hooking and the Node.js library Puppeteer. MercadoLivre and MercadoPago pages can be accessed without consent on infected machines. The malware is also able to take screenshots of MercadoLivre pages visited and send them to the C2.
“The alarming part in this node.js-based malware is the fact the majority of this behavior is considered normal, as the usage of the Puppeteer library for web scraping is not malicious by nature,” the team says. “Therefore, detecting these kinds of threats is much more challenging.”
However, Chaes appears to be under active development, as revised versions of the malware are more direct in targeting MercadoLivre pages that relate to e-commerce purchases.
Cybereason is currently exploring whether or not the malware is being used in campaigns against other e-commerce companies, and warns that Chaes may indicate a “possible future trend in using the Puppeteer library for further attacks in other major financial institutions.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0