CHAES: Novel Malware Targeting Latin American E-Commerce RESE ARCH Research by: Eli Salem November 17, 2020 Chaes: Novel Malware Targeting Latin American E-Commerce 2 The Cybereason Nocturnus Team has been tracking a threat actor leveraging previously undetected malware dubbed “Chaes” to target e-commerce customers in Latin America (LATAM). Chaes malware, which was first discovered in the middle to late 2020 by Cybereason, is a multistage information stealer that primarily targets Brazil and specifically the Brazilian customers of the largest e-commerce company in Latin America, MercadoLivre. In recent years, the LATAM cybercrime scene has evolved a great deal. Some of the most notorious malware variants that have been prominent in the region over the last year include Grandoreiro, Ursa and Astaroth. LATAM cybercrime activities demonstrate unique features when it comes to TTP’s and how malware is propagated on an infected machine. Some of the shared similarities include: • Leveraging of .MSI files as an initial way to start the infection chain • The use of Delphi as the preferred language to write malware • Extensive use of LOLBins to execute content • Downloading additional legitimate tools to expand the malware’s capabilities and for obfuscation When observing the shared behavior and mindset of LATAM-based threat actors, Cybereason researchers observed that the malware authors emphasize the need to stay under the radar as much as possible, and prefer to use already-existing tools or legitimate software if it fits their needs. FIGURE 1 Full Attack Infographic https://www.mercadolivre.com.br/ https://malpedia.caad.fkie.fraunhofer.de/details/win.grandoreiro https://seguranca-informatica.pt/threat-analysis-the-emergent-ursa-trojan-impacts-many-countries-using-a-sophisticated-loader/#.X5n21YgzaUk https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research https://www.cybereason.com/blog/brazilian-financial-malware-banking-europe-south-america https://www.cybereason.com/blog/brazilian-financial-malware-dll-hijacking https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research Chaes: Novel Malware Targeting Latin American E-Commerce 3 Key Findings • Targeting the Biggest E-Commerce Company in Latin America: Chaes specifically targets the Brazilian website of e-commerce company MercadoLivre and its payment page MercadoPago to steal its customers’ financial information. The final payload of Chaes is a Node.Js information stealer that exfiltrates data using the node process. • Credential Stealing, Screen Capture, Browser Monitoring, Reconnaissance: Chaes is designed to steal sensitive information from the browser such as login credentials, credit card numbers, and other financial information from MercadoLivre website customers. Chaes also takes screenshots of the infected machine, hooks and monitors the Chrome web browser to collect user information from infected hosts. • Multistage Delivery, Multi-Language Malware: Chaes delivery consists of several stages that include use of LoLbins and other legitimate software, making it very challenging to detect by traditional AV products. Chaes also has multiple stages and is written in several programming languages including Javascript, Vbscript, .NET , Delphi and Node.js • Downloads Legitimate Software, Designed for Stealth: Chaes operates using legitimate tools such as Python, Unrar and Node.js, and Chaes’ stages consist of several techniques such as use of LoLbins, open source tools, fileless parts and legitimate node.js libraries designed to increase the malware’s stealthiness. • Under development: Cybereason observed new versions of Chaes, showing that the authors are improving the malware and adding more features FIGURE 1 Cybereason Anti-Malware Solution Detects and Prevents Chaes Chaes: Novel Malware Targeting Latin American E-Commerce 4 Threat Analysis Phase One: Initial Access As with many traditional campaigns, this one begins by sending the victim a phishing email containing a .docx file. FIGURE 3 First stage of Deployment Chaes: Novel Malware Targeting Latin American E-Commerce 5 Template Injection Attacks After the user clicks the .docx file, a Template Injection Attack occurs. In this technique the adversary is using Microsoft Word’s built-in feature to fetch a payload from a remote server, by changing the template target of the settings.xml file embedded in the document and populating this field with a download URL of the next payload: FIGURE 4 Annexo.docx phishing mail FIGURE 5 Template injection attack FIGURE 6 Winword communicating with the C2 https://www.sans.org/reading-room/whitepapers/incident/template-injection-attacks-bypassing-security-controls-living-land-38780 Chaes: Novel Malware Targeting Latin American E-Commerce 6 Once the .msi file is executed, it drops the following files: • Invisible.vbs: which the malware uses to execute other processes that will take part in the malware’s framework • Uninstall.dll: and engine.bin which constitutes the “malware engine” • Hhc.exe, hha.dll and chaes1.bin: which together constitute the malware’s core components The .msi file then spawns a Wscript child process using “invisible.vbs” to initiate the execution of the engine. bin content using the LOLBin InstallUtil. It also executes a process named “hhc.exe” which is a legitimate HTML Help (CHM) Help Compiler process. The initial activity can be also seen in detail using the Cybereason Defense Platform: Setting Up the “Malware Engine” and Initial Persistence As mentioned above, the pair of file binaries uninstall.dll and engine.bin serve as the “malware engine” whose key objective is to download additional content and maintain its foothold on the infected machine. Uninstall.dll is a .NET based module that receives an AES encrypted binary file as an argument and decrypts it: FIGURE 7 The Cybereason Defense Platform showing the initial deployment FIGURE 8 Uninstall.dll https://en.wikipedia.org/wiki/Microsoft_Compiled_HTML_Help https://en.wikipedia.org/wiki/Microsoft_Compiled_HTML_Help Chaes: Novel Malware Targeting Latin American E-Commerce 7 In the first iteration of the malware, Uninstall.dll decrypts the engine.bin file which triggers additional download of a file named “Install.js”: Install.js is a downloader that further downloads binary payloads and counters for them: FIGURE 9 InstallUtil download install.js FIGURE 10 Install.js download further binaries Chaes: Novel Malware Targeting Latin American E-Commerce 8 The full list of files that install.js attempts to download include: The following image shows InstallUtil processes downloading files from the C2 server: After the files have been downloaded, they are automatically executed by several chains of processes that include Wscript, Cmd and eventually InstallUtil to decrypt the files in the same way it decrypted engine.bin. The files themselves are the artifacts mentioned above - chaes1.bin, hha.dll and hhc.exe. TABLE 1 Install.js list of domains OBSERVED URL PURPOSE hxxp://cnxtours.com[.]br/ZGkPJCwzO/counter.php Generic counter hxxp://cnxtours.com[.]br/2GkPJCwz2/counter.php Javascript file counter hxxp://java-update[.]online/Bv3wsrFB0t/counter.php USB file counter hxxp://evolved-thief[.]online/pacotes/chaes2.bin Malware component hxxp://evolved-thief[.]online/pacotes/elektra1.bin Malware component hxxp://evolved-thief[.]online/pacotes/bom8.bin Observed downloading coinminer FIGURE 11 InstallUtil downloading additional content Chaes: Novel Malware Targeting Latin American E-Commerce 9 Interestingly, although the code to download the binaries is in “Install. js” but there is no indication of script usage. all the activities are done by InstallUtil, which makes this script execution technique very unorthodox and much more challenging to find: Although it has some benefits when it comes to executing javascript code using InstallUtil as a proxy and additional persistence, in some recent observations of Chaes the malware authors have decided to drop this stage in the malware deployment. Next, the malware creates its first means of persistence using the registry entry CurrentVersion\run\Installutil\ to execute new instances of engine.bin repeatedly. Some of the .bin files such as “elektra1.bin” also contain the hhc. exe process and associated malicious files, so as long the engine’s persistence is maintained, the malware does not need to rely on the .msi file to exist. Registry Key: Software\Microsoft\Windows\CurrentVersion\Run\installutil\ Value: wscript.exe “C:\Users\[username]\AppData\Roaming\invisible.vbs” cmd /c cd “C:\Users\[username]\AppData\ Roaming\Microsoft\Network” & “C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe” /u “uninstall.dll” “/ f=engine.bin” FIGURE 12 The Cybereason Defense Platform shows the full command lines of InstallUtil Chaes: Novel Malware Targeting Latin American E-Commerce 10 Phase Two: Chaes Modules and Malware Deployment Three files that were brought to the machine by the .msi file are hhc.exe, hha.dll and chaes1.bin. As already mentioned, the file hhc.exe belongs to the HTML Help (CHM) Help Compiler and is often used to create CHM files. This process requires the module named “hha.dll” to run. The legitimate hha.dll is a 32-bit Windows DLL module developed by Microsoft Corporation for the HTML Help software and other related programs. In this case, the attackers delivered to the machine their own crafted hha.dll module (unsigned), and took advantage of the DLL search order to load this module into the legitimate hhc.exe process. In this way, the attackers manage to execute malicious code in the context of a legitimate process without using any injections. This technique was already observed in the past in previous research done by Cybereason about financial malware across the Brazilian cybercrime landscape: FIGURE 13 Second stage of Deployment FIGURE 14 Malicious hha.dll (left) and legitimate hha.dll (right) https://en.wikipedia.org/wiki/Microsoft_Compiled_HTML_Help https://attack.mitre.org/techniques/T1574/001/ https://www.cybereason.com/blog/brazilian-financial-malware-dll-hijacking Chaes: Novel Malware Targeting Latin American E-Commerce 11 The existence of the module and its identification as malicious can be seen clearly in the Cybereason Defense Platform: hha.dll Analysis When investigating the module, it is clear that it has nothing in common with the legitimate Windows hha.dll module. The module’s main goal is to decode and unpack the downloaded content from chaes1.bin and load it into memory. The module begins by getting a handle to the chaes1.bin file with read permissions using the CreateFileW function. It then retrieves the size of the file and allocates new memory accordingly: FIGURE 15 The Cybereason platform detected hha.dll as malicious FIGURE 16 Getting a handle to chaes1.bin https://docs.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilew Chaes: Novel Malware Targeting Latin American E-Commerce 12 After getting the handle for chaes1.bin and allocating memory, the module attempts to read the content of the file. If it succeeds in doing so, it sends the newly allocated memory of chaes1.bin and additional obfuscated embedded content to another function that deals with unpacking and deobfuscation chaes1.bin. After the routine ends, it produces a new module loaded in memory named “chaes.dll” (also written in Delphi) which contains the contents of the decoded chaes1.bin: FIGURE 17 Decoding function before (left) and after (right) Chaes: Novel Malware Targeting Latin American E-Commerce 13 The presence of this new dll file now found in the memory of hhc.exe can also be seen in the Cybereason Defense Platform, along with another module named chcopyd1.dll: chaes.dll Analysis When the researchers first inspect chase.dll using Pestudio, it was immediately observed that this module has an executable named “UNRAR” stored in its resources section. UNRAR is a free and open source command-line application for extracting RAR file archives which adversaries use to extract additional content sent from the C2 server as archived files: FIGURE 18 Decoded and fileless chase.dll in the memory of hhc.exe FIGURE 19 Chaes.dll UNRAR in resource section https://en.wikipedia.org/wiki/Unrar Chaes: Novel Malware Targeting Latin American E-Commerce 14 As expected, chaes.dll loads this executable from its binary and assigns it with 0x40 permissions which is the hexadecimal value of the symbolic constant name READ-WRITE-EXECUTE. UNRAR is not the only file that the malware drops- chaes.dll also drops invisible.vbs, config.ini and instructions.ini: Config.ini and Instructions.ini As inferred from its name, config.ini stores the configuration for the C2: Instructions.ini stores the instructions to be sent to the C2 server to download the additional content and to deploy the full malware. Like many other commands in this malware, some of them will be executed using the invisible.vbs file: TABLE 2 File names dropped by chaes.dll FILE NAME SHA-1Hash config.ini bf3174b0151ff6c1b57398f37c9f381bb2b66a6c instructions.ini 84f38bf9df9a0153050b371033afc0d8191763bf unrar.exe 6411159bbf02b44caee6b42390bf866d46aed0e4 invisible.vbs 2182243567bfcefcbc88b4ebcc42ed52e1dd1e69 hxxp://evolved-thief[.]online/pacotes/bom8.bin Observed downloading coinminer FIGURE 20 config.ini FIGURE 21 instructions.ini Chaes: Novel Malware Targeting Latin American E-Commerce 15 The additional files obtained from the C2 server are: • chstea01.rar - this file contains the hhc.exe process, the malicious hha.dll, chaes1.bin and sqlite3.dll (the first hint that SQL will be used by the malware). • fixi2.rar and usb3.rar - these files contain the hhc.exe process, hha.dll and chaes1.bin. • spm4.rar - this archive contains Python-related files and a large binary file named “load.bin”. After the archived files are downloaded, pythonw.exe uses UNRAR to extract and execute their content: In recent versions of Chaes, instructions.ini file turned fileless and is stored in the registry: FIGURE 22 spm4.rar (left) and chstea01.rar (right) FIGURE 23 Instructions.ini data fileless in the registry Chaes: Novel Malware Targeting Latin American E-Commerce 16 Chaes Communication with the C2 The communication between chase.dll and its C2 server is made up of three repetitive post and requests calls: • NewClient: provides the C2 with information from the victim’s machine (machine name, user name, uid, operating system version and malware version). • Instructions: sends and receives content that was base64-encoded and then encrypted. • Config: which is also encoded and encrypted. Stealing Information from the Browser In addition, the hhc.exe process creates several .sql files named local.sql, these SQL databases are being used in order to extract sensitive information from the Chrome browser similar to other traditional information stealers, some of the SQL tables are related to credit cards, login credentials of websites and personal information of a user: FIGURE 24 Chaes communicates with the C2 FIGURE 25 Chaes “NewClient.php” communication FIGURE 26 Credit card related database to extract information from the browser Chaes: Novel Malware Targeting Latin American E-Commerce 17 Additional Persistence In addition to the downloading and executing content, the malware will set another persistence using the registry, one in the software\microsoft\windows\currentversion\run\microsoft windows html help v6.1.2390 And and second in software\microsoft\windows\currentversion\run\microsoft windows html help: Registry key: Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows html help v6.1.2390\ Value: Wscript “C\ProgramData\invisible.vbs” cmd /V:ON /C cd “%APPDATA%\Microsoft\HTML Help v6.2.1533\” & wscript. exe %PROGRAMDATA%\invisible.vbs “hhc.exe” Registry key: Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows html help\ Value: Wscript “C\ProgramData\invisible.vbs” cmd /V:ON /C cd “C\Users\[username]\APPDATA\Roaming\Microsoft\HTML Help v6.2.1533\” & wscript.exe C:\PROGRAMDATA\invisible.vbs “hhc.exe” Second Stage Deployment via Python Once Chaes finishes downloading the additional content and establishing its persistence, the additional content activity starts to initiate the second stage of the malware deployment. First, pythonw.exe injects a module named “ModHooksCreateWindow64.dll” into a newly created Chrome process. This Chrome browser is a browser that opens silently in the background and without the user knowledge or consent about its existence. This can be seen also using the Cybereason platform: FIGURE 27 Deployment of the malware by pythonw.exe Chaes: Novel Malware Targeting Latin American E-Commerce 18 ModHooksCreateWindow64.dll Analysis When the team investigated the module, it was observed that its name indicates this module deals with classic API hooking techniques, this can be seen by the number of JMP codes that appears and with some strings that suggest about it also: When the researchers examined the module strings, it was observed that some of the strings and file names have an exact match with an open source project named DDetours, and especially two files named “DDetours.pas” and “InstDecode.pas”. According to its github page: “The DDetours is a library allowing you to hook Delphi and Windows API functions. It provides an easy way to insert and remove hooks.” The malware authors show again their creativity in attempts to stay under the radar when they are using legitimate open source software. In addition to the DDetours code, the module also contains several strings that indicate hooking of the function ShowWindow and aim to specifically detect if the Chrome browser is active. This technique was also seen in the leaked code of the Carberp Botnet that aims to hook ShowWindow to detect the presence of Internet Explorer: FIGURE 28 Setting up the hook JMP FIGURE 29 ShowWindow hooking and Chrome browser https://github.com/MahdiSafsafi/DDetours https://github.com/Artogn/malware-1/blob/master/Carberp%20Botnet/source%20-%20absource/pro/all%20source/RemoteCtl/DrClient/Hook.cpp Chaes: Novel Malware Targeting Latin American E-Commerce 19 Overall, this module grants the malware the capability to perform any API hooking that it desires, and specifically aims to target the Chrome browser. Browser hooking is the hallmark feature of most financial malware. In the end, pythonw.exe will also download a JavaScript file named “index.js” which is a targeted information stealer written in NodeJs: Downloading the Node.js Component After setting up the hooking of Chrome, pythonw.exe executes the final piece of the malware framework which is installing NodeJs in the infected machine in a location that contains the path “Microsoft\Media\Oz”. Node.js is an open-source, cross-platform, back-end JavaScript runtime environment that executes JavaScript code outside a web browser. This is another instance of legitimate software that this malware uses in order to operate and execute its malicious activity. The node.exe process will be the last part of the puzzle, it will be responsible for reacting according to code written in “index.js” and sending the collected data from the infected machine to the C2. This can be seen also using the Cybereason UI: When the full deployment of the malware is examined, it was observed that the deployment activity is divided into three pieces: • Hhc.exe process will mainly act as the component that keeps the malware maintenance, persistence and downloader of the additional components. • Pythonw.exe will be the process that deploys the downloaded content and executes it. • And eventually, node.exe will be the process that receives the data according to “index.js” and send it to C2. FIGURE 30 Pythonw.exe downloading index.js infostealer FIGURE 31 End of the malware deployment https://en.wikipedia.org/wiki/Node.js https://nodejs.org/en/ https://nodejs.org/en/ Chaes: Novel Malware Targeting Latin American E-Commerce 20 Phase Three: Targeted Node.js Malware Index.js is a Node.js based information stealer that keeps being updated and evolved during the last months. To this date the last update was observed in the beginning of November 2020. The main goal of this script is to act as the main orchestrator of the Chaes’s main goal. Master of Puppets When starting to investigate index.js, at first glance it was observed that the string “puppeteer-core”. This is an indication that this script will be using the Node.js library “Puppeteer”. Puppeteer is a Node library which provides a high-level API to control Chrome or Chromium over the DevTools Protocol. Puppeteer runs headless by default, but can be configured to run full (non-headless) Chrome or Chromium. In other words, the script has the ability to execute code that can interact with a remote C2 server with or without dependence on the Chrome browser being opened by a user. The Puppeteer library is also known to be used for performing web scraping, the process of automating data collection from the web. The process typically deploys a “crawler” that automatically surfs the web and scrapes data from selected pages. Interestingly, we also notice the existence of the variable “mercado_pago_done”. This is the first indication that this script will deal with information and data related to Mercado-Pago. Mercado Pago is the payment platform for online sales of the company Mercado Livre. Mercado Livre, Inc. is an Argentine company incorporated in the United States that operates online marketplaces dedicated to e-commerce and online auctions. According to Wikipedia, Mercado Livre had over 174 million users in Latin America, making it the region’s most popular e-commerce site by number of visitors: In order to operate, the script will first attempt to connect to the newly created Chrome session, after which this chrome session actions will be dependable on the index.js script. Considering that the Chrome session is already monitored and hooked, it is apparent how deeply the malware has visibility into its activity. FIGURE 32 Usage of Puppeteer library FIGURE 33 The NodeJs malware connect to Chrome browser https://www.npmjs.com/package/puppeteer https://www.digitalocean.com/community/tutorials/how-to-scrape-a-website-using-node-js-and-puppeteer https://en.wikipedia.org/wiki/MercadoLibre Chaes: Novel Malware Targeting Latin American E-Commerce 21 In addition, the script contains other multiple functions that are related to communicating and controlling the newly created Chrome browser remotely. Data Collecting Functions One of the prominent functions that this info-stealer uses is printReport(). This function gets a web page URL and information to print as an argument, and then creates an image of this web page to be uploaded to the C2 server. This function will be used whenever the info-stealer chooses to notify the C2 server about a specific activity. The uploading capabilities are created using another function called “fileUpload” that receives a URL, a message, and a filename to upload: Another function is loadUID(), which as its name suggests, will locate the UID of the infected machine. The UID consists of three parts - random letters, machine name and user name: FIGURE 34 PrintReport function FIGURE 35 LoadUID function Chaes: Novel Malware Targeting Latin American E-Commerce 22 Accessing the Target The first significant malicious activity performed by the script is to navigate the Chrome browser to mercadopago.com.br and then extract the infected machine’s user financial information. The information extracted is stored in three variables named in Portuguese: • Dinheiro_disponivel: which means “money available” • Prefil: which means “profile” • Atividades_item: which means “item activities” As mentioned previously, Chaes is still under development. In a version that appeared in late 2020, the way to address Mercadopago page become more direct with an attempt to extract data from the following url: “https://www.mercadopago.com.br/banking/balance#from-selection=home”: FIGURE 36 The NodeJs malware collects financial information of mercadopago customers FIGURE 37 Index.js version that observed in late 2020 Chaes: Novel Malware Targeting Latin American E-Commerce 23 The script will also attempt to navigate and scrape data from: “www.mercadolivre.com.br/credits/consumer/ administrator#menu-user”, an online payment section of mercadolivre.com. As with the Mercadopago page, the script will attempt to read the data from this webpage as well, storing credit card data in two constant variables named “mcredito_selector” and “mcredito_available”. Then, it will report its findings to the C2 server using the aforementioned printReport() function: As can be seen in the script, in each of the cases, whether its MercadoLivre or MercadoPago associated pages, the script will use the aforementioned function printReport() to create an image of the targeted webpage and eventually send the extracted data to the C2 server. The creation of these images can be seen using the Cybereason Defense Platform: After creating the screenshot, the information will be sent to the C2 server using the Multi-Purpose Internet Mail Extensions (MIME) protocol - an extension to the Internet email protocol that allows users to exchange different kinds of data files such as images, audio, and video. Note, in latest versions of index.js the entire communication of the node.exe process is encrypted: FIGURE 38 The Node.js malware collects financial information of mercado livre customers FIGURE 39 FIGURE 40 The Node.js malware sending a packet of information to the C2 server https://en.wikipedia.org/wiki/MIME https://en.wikipedia.org/wiki/MIME Chaes: Novel Malware Targeting Latin American E-Commerce 24 Eventually, when the data scraped from the website has been collected, the script sends it as a json file and uploads it to the remote C2 server. In the end, the attacker will have information on the victim pulled from their profile, including their cash balance: Sending Fake Emails Once the user makes a transaction, the script will use a function called sendEmail() to automatically send an fake email (allegedly to be on the behalf of Mercado Livre) informing the customer about the purchase that they made. In this fake email, “Mercado Livre” sends the following message: “Your order has been successfully billed on our system, Order No.: 112187194961661 generated on 9/22/2020 at 09:33:48 PM Status: APPROVED! Order amount: R $ 4661.22 payment billed in 4X (Boleto Bancário). Attached are the accesses containing the data listed above: Access Key: 3872190867349812064732892309012388561092” To increase the legitimacy of the message, the customer is also informed that the email has been scanned by Avast and does not contain any virus: FIGURE 41 The Node.js malware create the json to send information about new customer FIGURE 42 The Node.js malware sendEmail function https://en.wikipedia.org/wiki/Avast_Antivirus Chaes: Novel Malware Targeting Latin American E-Commerce 25 The script also determines if there is any money to extract from the customer, If not, it displays a message about it: Additionally, the script also extracts the cookies and web data from the MercadoPago site, and stores them as constant variables named “cookies” and “web_data”. This data is also uploaded to the C2 server: FIGURE 43 SendEmail function fake mail FIGURE 44 The Node.js malware verify if the customer has money FIGURE 45 The Node.js malware collects cookies and web data of mercado pago web page Chaes: Novel Malware Targeting Latin American E-Commerce 26 Understanding the Endgame After analyzing the node.js malware and the entire deployment process of Chaes, the researchers realized the full functionality and capabilities of the malware. The malware opens a Chrome browser, monitors it using hooking, and then controls its activity using the Puppeteer capabilities that are stored within the Node.js script. In this way, the malware is able to enter MercadoPago and MercadoLivre payment sections without the user’s interaction or consent. It then scrapes the information stored in it and sends it to a remote C2 server. The alarming part in this node. js-based malware is the fact the majority of this behavior is considered normal, as the usage of the Puppeteer library for web scraping is not malicious by nature. Therefore, detecting these kinds of threats is much more challenging. Evolving Threat Chaes is a rapidly evolving threat, and in recent months the malware authors appear to have adapted and changed some parts of their framework. Recent versions of Chaes are observed without the usage of InstallUtil and with better network encryption. In addition, the final Node.js script “index.js” appears to also be updated and contains: more functionality that is related to controlling the chrome browser, new updated C2 IP/Domains, new MercadoPago financial webpage, and removing the fake mail section. Although some versions of Chaes may change in some parts, the endgame goal still remains: under the radar activity accessing MercadoLivre and MercadoPago websites without user’s consent and data exfiltration using node process. This can also be seen using the Cybereason Defense Platform: FIGURE 46 Full attack infographic Chaes: Novel Malware Targeting Latin American E-Commerce 27 Conclusion In this research, Cybereason discovered a new and evolving threat in the Latin American cyber crime scene called Chaes. This malware made its first appearance during the middle to end of 2020, It specifically targets Brazil and the largest e-commerce company in Latin America, Mercado Livre. It is a multistage malware deployment which uses several legitimate Windows processes and open source tools to remain undetected. These components are not always malicious on their own, but when put together they form a stealthy infection chain that is hard to detect. Multistage malware that uses such techniques in the LATAM region and specifically in Brazil have already been observed and investigated by Cybereason in the past years. Chaes demonstrates how sophisticated and creative malware authors in the Latin America region can be when attempting to reach their goals. The malware not only serves as a warning sign to information security researchers and IT professionals not to take lightly the existence of files that are legitimate in nature, but also raises the concern of a possible future trend in using the Puppeteer library for further attacks in other major financial institutions. Cybereason will continue to monitor Chaes’ progress to determine whether it will expand to more e-commerce companies in the Latin Americas, and whether the popularity of Node.js-based malware will continue to evolve. FIGURE 47 The Cybereason Defense Platform shows Chaes accessing MercadoLivre and MercadoPago websites and data exfiltrated from node.exe process https://www.cybereason.com/blog/brazilian-financial-malware-dll-hijacking https://www.cybereason.com/blog/brazilian-financial-malware-banking-europe-south-america https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research Chaes: Novel Malware Targeting Latin American E-Commerce 28 MITRE ATT&CK Breakdown Indicators of Compromise (IOCs) The full set of IOCs including C2 Domains, IP addresses, Docx files SHA-1 hashes, Docx files SHA-256 hashes,Msi files SHA-1 hashes, Msi files SHA-256 hashes, Binary files SHA-1 hashes, Binary files SHA-256 hashes, Archived files SHA-1 hashes, Archived files SHA256 hashes, Ini files SHA-1 hashes, Ini files SHA-256 hashes, Scripts SHA-1 hashes, Scripts SHA256 hashes, DLLs SHA-1 hashes, DLLs SHA256 hashes are AVAILABLE FOR DOWNLOAD HERE. IN IT IA L AC CE SS EX EC UT IO N PE RS IS TE NC E PR IV EL EG E ES CA LA TI ON DE FE NS E EV AS IO N CR ED EN TI AL AC CE SS DI SC OV ER Y CO LL EC TI ON EX FI LT RA TI ON C& C Spearphish- ing Link Command- Line Interface Modify Registry Registry Run Keys / Startup Folder InstallUtil Credentials in Files Account Discovery Data from Information Repositories Automated Exfiltration Data Obfuscation Spearphish- ing Attach- ment Scripting Valid Accounts Modify Registry Credentials from Web Browsers File and Directory Discovery Data from Local System Data Compressed Mail Protocols JavaScript/ JScript Scripting System Information Discovery Data Staged Data Encrypted Python DLL Search Order Hijacking System Network Configuration Discovery Email Collection Exfiltration Over Command and Control Channel Visual Basic Msiexec https://www.cybereason.com/hubfs/dam/collateral/iocs/chaes-malware-iocs.pdf https://attack.mitre.org/techniques/T1192/ https://attack.mitre.org/techniques/T1192/ https://attack.mitre.org/techniques/T1192/ https://attack.mitre.org/techniques/T1059/ https://attack.mitre.org/techniques/T1059/ https://attack.mitre.org/techniques/T1059/ https://attack.mitre.org/techniques/T1112 https://attack.mitre.org/techniques/T1112 https://attack.mitre.org/techniques/T1547/001/ https://attack.mitre.org/techniques/T1547/001/ https://attack.mitre.org/techniques/T1547/001/ https://attack.mitre.org/techniques/T1547/001/ https://attack.mitre.org/techniques/T1218/004/ https://attack.mitre.org/techniques/T1081 https://attack.mitre.org/techniques/T1081 https://attack.mitre.org/techniques/T1087 https://attack.mitre.org/techniques/T1087 https://attack.mitre.org/techniques/T1213 https://attack.mitre.org/techniques/T1213 https://attack.mitre.org/techniques/T1213 https://attack.mitre.org/techniques/T1020 https://attack.mitre.org/techniques/T1020 https://attack.mitre.org/techniques/T1001 https://attack.mitre.org/techniques/T1001 https://attack.mitre.org/techniques/T1193/ https://attack.mitre.org/techniques/T1193/ https://attack.mitre.org/techniques/T1193/ https://attack.mitre.org/techniques/T1064 https://attack.mitre.org/techniques/T1078 https://attack.mitre.org/techniques/T1078 https://attack.mitre.org/techniques/T1112 https://attack.mitre.org/techniques/T1112 https://attack.mitre.org/techniques/T1555/003/ https://attack.mitre.org/techniques/T1555/003/ https://attack.mitre.org/techniques/T1555/003/ https://attack.mitre.org/techniques/T1083 https://attack.mitre.org/techniques/T1083 https://attack.mitre.org/techniques/T1083 https://attack.mitre.org/techniques/T1005 https://attack.mitre.org/techniques/T1005 https://attack.mitre.org/techniques/T1560/ https://attack.mitre.org/techniques/T1071/003/ https://attack.mitre.org/techniques/T1071/003/ https://attack.mitre.org/techniques/T1059/007/ https://attack.mitre.org/techniques/T1059/007/ https://attack.mitre.org/techniques/T1064 https://attack.mitre.org/techniques/T1082 https://attack.mitre.org/techniques/T1082 https://attack.mitre.org/techniques/T1082 https://attack.mitre.org/techniques/T1074 https://attack.mitre.org/techniques/T1560/ https://attack.mitre.org/techniques/T1560/ https://attack.mitre.org/techniques/T1059/006/ https://attack.mitre.org/techniques/T1574/001/ https://attack.mitre.org/techniques/T1574/001/ https://attack.mitre.org/techniques/T1574/001/ https://attack.mitre.org/techniques/T1016 https://attack.mitre.org/techniques/T1016 https://attack.mitre.org/techniques/T1016 https://attack.mitre.org/techniques/T1016 https://attack.mitre.org/techniques/T1114 https://attack.mitre.org/techniques/T1114 https://attack.mitre.org/techniques/T1041/ https://attack.mitre.org/techniques/T1041/ https://attack.mitre.org/techniques/T1041/ https://attack.mitre.org/techniques/T1041/ https://attack.mitre.org/techniques/T1041/ https://attack.mitre.org/techniques/T1059/005/ https://attack.mitre.org/techniques/T1218/007/ Chaes: Novel Malware Targeting Latin American E-Commerce 29