A huge operation consisting of 800 negotiated WordPress websites is spreading banking Trojans that target the credentials of Brazilian e-banking users. The Trojan utilized in the operation which is known as ‘Chaes,’ and as per the investigators, it’s been constantly spreading since late 2021.    

Although the security firm alerted the Brazilian CERT, the operation is currently, with hundreds of websites still negotiating with malicious scripts that push the malware.

What is the Attack Chain?

When the victim visits one of the negotiated websites, they are offered a pop-up that requests them to install a fake Java Runtime application.

The MSI installer includes three malicious JavaScript files (install.js, sched.js, sucesso.js) that prepare the Python environment for the next stage loader. The sched.js script adds perseverance by creating a Scheduled Task and a Startup link, and sucesso.js is responsible for reporting the status to the C2.

At the same time, the install.js script executes the following tasks:

• Check for Internet connection (using google.com)
• Create %APPDATA%\\\\extensions folder
• Download password-protected archives such as python32.rar/python64.rar and unrar.exe to that extensions folder
• Write the path of the newly created extensions folder to HKEY_CURRENT_USER\\Software\\Python\\Config\\Path
• Performs some basic system profiling
• Execute unrar.exe command with the password specified as an argument to unpack python32.rar/python64.rar
• Connect to C2 and download 32bit and 64bit __init__.py scripts along with two encrypted payloads. Each payload has a pseudo-random name.

The Python loader chain unfolds in memory and involves loading multiple scripts, shellcode, and Delphi DLLs until everything is in its proper place for executing the final payloads. The last stage is attempted by instructions.js, which fetches the Chrome extension and installs them on the victim’s system. Finally, all the extensions are started with the proper arguments.

How many Chrome Browsers Extensions are installed?

Researcher’s state that they have seen five different malicious Chrome Browser extensions installed on victim’s devices, including:

• Online – Fingerprints the victim and writes a registry key.
• Mtps4 – Connects to the C2 and waits for incoming PascalScripts. Also capable of capturing a screenshot and displaying it in full screen to hide malicious tasks running in the background.
• Chrolog – Steals passwords from Google Chrome by exfiltrating the database to the C2 through HTTP.
• Chronodx – A loader and JS banking trojan that runs silently in the background and waits for a Chrome launch. If the browser is opened, it will close it immediately and reopen its instance of Chrome making banking info collection possible.
• Chremows – Targets Mercado Libre online marketplace credentials.

At this time, the Chaes campaign is still ongoing, and those who have been compromised will remain at risk even if the websites are cleaned. Our security researchers claim that some of the compromised websites abused for dropping the payloads are very popular in Brazil, so the number of infected systems is likely large.