Cybersecurity research team Cybereason Nocturnus discovered a new malware called Chaes aimed at users of Latin American e-commerce platform MercadoLivre. In a blog posted on the Cybereason website, Chaes manages to “evade antivirus tools.”
The malware is known to steal personal information from customers such as credit card numbers, site login credentials, and financial details. It is also known to take screenshots of infected systems. Moreover, it tracks Google Chrome to gather more user information.
Cybereason Head Head of Threat Research Assaf Dahan told ZDNet that the infection starts through phishing emails with malicious .docx attachments, which uses “a template injection technique, using Microsoft Word’s built-in feature to fetch a payload from a remote server.”
ZDNet also noted that the Chaes email can camouflage itself as a legitimate one by attaching “scanned by Avast” as a footnote.
The malware came at a time when an increase in cybercrime against e-commerce platforms exists. To combat these threat actors, Cybereason researchers have been monitoring parties that used Chaes back when it was still undetected.
The emergence of Chaes in Latin America is just part of a string of malwares that have been arising in the region. Just last year, three notorious malwares were found in the region namely Grandoreiro, Ursa, and Astaroth.
According to the Nocturnus team, “These Latin American operations typically demonstrate some unique features when it comes to the tactics, techniques, and procedures (TTPs) employed, as well as how the malware is propagated to infect victims.”
These variants are known to use .MSI files to initially infect systems. The malware was also made using Delphi and significantly used LOLBins for execution, as well as the ability to download legitimate tools to further strengthen the infection and evade antivirus programs.
The report said that Chaes leverages verified programs such as Python, Unrar, and Node.js to stealthily infect the victim machine.
Given the evasive and multi-stage nature of the malware, Cybereason co-founder and CEO Lior Div said, “Threat actors put a great deal of time, resources, and effort into choosing their targets for criminal operations such as this, and a return on their investment is always top of mind.”
Div added that users should always be vigilant about their cyber hygiene, especially at a time when cybercrime is becoming more profitable for criminals.
The team also found that Chaes is evolving with new versions emerging, showing that the group behind the malware is improving it.