Banking trojans targeting Brazilian e-banking users’ credentials are being spread via a vast campaign involving more than 800 compromised WordPress websites. The malware employed in this campaign is known as ‘Chaes.’ It has been actively spreading since late 2021, as per Avast researchers. Hundreds of websites remain infected with malicious scripts that spread the malware, despite the security firm’s notification to the Brazilian CERT.
A pop-up appears when the victim visits one of the compromised websites, requesting that they install a phony Java Runtime app. The malicious JavaScript files (install.js, sched.js, and sucesso.js) in the MSI installer plan the Python environment for the next stage loader. By generating a Scheduled Task and a Startup link, the sched.js script adds persistence, and sucesso.js is in charge of sending the status to the C2.
In memory, the Python loader chain loads several scripts, shellcode, and Delphi DLLs until everything is ready to execute the final payload within a Python process. The final stage is handled by instructions.js, which downloads and installs Chrome extensions on the victim’s PC. Finally, each extension is started with the appropriate arguments.
According to Avast, victims’ machines have been infected with five separate malicious Chrome browser extensions, including:
- Online – Fingerprints the victim and writes a registry key.
- Mtps4 – Connects to the C2 and waits for incoming PascalScripts. It is also capable of taking a snapshot and showing it on full screen to hide dangerous processes operating in the background.
- Chremows – Targets Mercado Libre online marketplace credentials.
- Chronodx – A loader and JS banking trojan that runs silently in the background and waits for a Chrome launch. If the browser is already open, it will close it and reopen its Chrome instance to collect banking information.
- Chrolog – Steals passwords from Google Chrome by exfiltrating the database to the C2 via HTTP.
The Chaes campaign is still active at this time, and those who have been hacked will remain vulnerable even if the websites are cleaned. Avast says that several of the compromised websites used to spread the payloads are quite popular in Brazil, which means the number of affected devices is likely to be huge.
