Carding
Professional
- Messages
- 2,870
- Reaction score
- 2,511
- Points
- 113
A virus with rewritten code skilfully bypasses traditional security tools.
The Chaes malware, which is widely known for stealing financial information from e-commerce users in Latin America, has undergone major changes and is back online, according to Morphisec.
"Chaes was completely rewritten in Python, which reduced the probability of detection by traditional security systems. The communication protocol with the command server was also redesigned, " experts note.
According to Morphisec, an updated version of the virus, dubbed "Chae$ 4", was detected in January 2023. Infection still occurs through hacked sites, where users are prompted to download a malicious installer.
After launching on the victim's computer, Chaes establishes a connection to the command C2 server and loads additional modules for collecting confidential data. The "Chronod" module, for example, intercepts usernames and passwords entered in the browser, as well as payment data in cryptocurrencies.
"The new version of the virus is aimed at stealing user data from services such as Mercado Libre, Mercado Pago and WhatsApp. Special attention is paid to intercepting payments through the Brazilian payment system PIX, " Morphisec emphasizes.
Experts note that using the DevTools protocol to connect to the browser allows attackers to gain extended access to its functionality.
"The wide range of features provided by this protocol gives attackers full control over the browser — running scripts, intercepting network requests, reading the body of POST requests before encrypting them, and much more," Morphisec explains.
To ensure persistence on an infected system, Chaes uses Windows Scheduler tasks. The virus runs in an infinite loop, waiting for commands from the command server.
Another innovation was the change of shortcuts for launching web browsers. As a result, instead of the browser, the aforementioned Chronod module is actually launched, which intercepts the input data.
Thus, the updated Chaes represents an increased risk and has advanced capabilities for stealing confidential data.
Experts recommend that users exercise increased vigilance when working with financial applications and use reliable security tools to block new modifications of the Chaes virus and other threats.
The Chaes malware, which is widely known for stealing financial information from e-commerce users in Latin America, has undergone major changes and is back online, according to Morphisec.
"Chaes was completely rewritten in Python, which reduced the probability of detection by traditional security systems. The communication protocol with the command server was also redesigned, " experts note.
According to Morphisec, an updated version of the virus, dubbed "Chae$ 4", was detected in January 2023. Infection still occurs through hacked sites, where users are prompted to download a malicious installer.
After launching on the victim's computer, Chaes establishes a connection to the command C2 server and loads additional modules for collecting confidential data. The "Chronod" module, for example, intercepts usernames and passwords entered in the browser, as well as payment data in cryptocurrencies.
"The new version of the virus is aimed at stealing user data from services such as Mercado Libre, Mercado Pago and WhatsApp. Special attention is paid to intercepting payments through the Brazilian payment system PIX, " Morphisec emphasizes.
Experts note that using the DevTools protocol to connect to the browser allows attackers to gain extended access to its functionality.
"The wide range of features provided by this protocol gives attackers full control over the browser — running scripts, intercepting network requests, reading the body of POST requests before encrypting them, and much more," Morphisec explains.
To ensure persistence on an infected system, Chaes uses Windows Scheduler tasks. The virus runs in an infinite loop, waiting for commands from the command server.
Another innovation was the change of shortcuts for launching web browsers. As a result, instead of the browser, the aforementioned Chronod module is actually launched, which intercepts the input data.
Thus, the updated Chaes represents an increased risk and has advanced capabilities for stealing confidential data.
Experts recommend that users exercise increased vigilance when working with financial applications and use reliable security tools to block new modifications of the Chaes virus and other threats.
