ANNOUNCEMENT

Threat Alert:

Chaes E-Commerce Malware

ORANGE_THREAT_ALERT_CR_ICONS-54

Threat Overview

BLOCKED_EXECUTABLE_CR_ICONS-32
Threat Type
MALWARE
IMPACTEDGEO_GLOBE2_CR_ICONS-31
TARGET INDUSTRIES
E-Commerce Customers
REDUCE_FALSE_POSITIVES_CR_ICONS-18
Attack Goal
Financial Cybercrime
PLATFORM3_CR_ICONS-03
Impacted GEO
Latin America

What's Happening?

The Cybereason Nocturnus Team has identified an active campaign targeting customers of a large e-commerce platform with newly discovered multi-stage malware that evades antivirus tools dubbed Chaes. The info-stealing malware is designed to harvest sensitive consumer information, including login credentials, credit card numbers and other financial information.

E-commerce platforms have been a favored target for cybercriminals, and the sharply increased volume of online shopping spurred by the COVID-19 pandemic have made attacks potentially even more profitable. According to data from the recent IBM U.S. Retail Index released in August of this year, “the pandemic has accelerated the shift away from physical stores to digital shopping by roughly five years,” and “e-commerce is projected to grow by nearly 20% in 2020” (TechCrunch).

The Cybereason Nocturnus Team has been tracking threat actors leveraging the previously undetected Chaes malware to primarily target Brazilian customers of the largest e-commerce company in Latin America, MercadoLivre. The researchers noted that the Latin American cybercrime scene has evolved a great deal in recent years, with some of the more notorious malware variants gaining prominence in just the last year, including Grandoreiro, Ursa and Astaroth.The Cybereason Nocturnus Team has been tracking threat actors leveraging the previously undetected Chaes malware to primarily target Brazilian customers of the largest e-commerce company in Latin America, MercadoLivre. The researchers noted that the Latin American cybercrime scene has evolved a great deal in recent years, with some of the more notorious malware variants gaining prominence in just the last year, including Grandoreiro, Ursa and Astaroth.

Read The Full Research

KEY OBSERVATIONS & TTPS

  • Targeting the Biggest E-Commerce Company in Latin America: Chaes specifically targets the Brazilian website of e-commerce company MercadoLivre and its payment page MercadoPago to steal its customers’ financial information. The final payload of Chaes is a Node.Js information stealer that exfiltrates data using the node process.
  • Credential Stealing, Screen Capture, Browser Monitoring, Reconnaissance: Chaes is designed to steal sensitive information from the browser such as login credentials, credit card numbers, and other financial information from MercadoLivre website customers. Chaes also takes screenshots of the infected machine, hooks and monitors the Chrome web browser to collect user information from infected hosts.
  • Multistage Delivery, Multi-Language Malware: Chaes infections consist of several stages that include use of LoLbins and other legitimate software, making it very challenging to detect by traditional antivirus tools. Chaes also executes multiple stages and is written in several programming languages including Javascript, Vbscript, .NET , Delphi and Node.js.
  • Downloads Legitimate Software, Designed for Stealth: Chaes operates using legitimate tools such as Python, Unrar and Node.js, and functional stages consist of several techniques such as use of LoLbins, open source tools, fileless actions and use of legitimate node.js libraries designed to increase the malware’s stealthiness.

 

  • Read the full length research here.

Remediation Steps

PARTNER_SANDBOX_CR_ICONS-28
Endpoint Protection

Install an endpoint protection solution to help mitigate similar attacks.

LOGIN_PASSWORDS_CR_ICONS-52
Password Manager

Consider using a password manager to ensure strong account credentials and avoid plain-text exposure of usernames and password on both browser-based and local applications.

TECH_DEEPDIVE_KNOWLEDGE_CR_ICONS-27
Training

Consider social engineering awareness and training, which are key in preventing such attacks.

antivirus-01
Prevented & Detected by the Cybereason Defense Platform

Prevented & Detected by the Cybereason Defense Platform

Suffered a Breach?

Talk to a Specialist