Chaes banking trojan infects Chrome with malicious extensions
Short News:-
A large-scale campaign involving over 800 compromised WordPress websites is spreading banking trojans that target the credentials of Brazilian e-banking users. The trojan used in this campaign is called 'Chaes,' and according to researchers from Avast, its been actively spreading since 2021. Avast says they have seen five different malicious Chrome browser extensions installed on victim's devices. The campaign is still ongoing, and those who have been compromised will remain at risk even if the websites are cleaned. Avast claims that some of the compromised websites abused for dropping payloads are popular in Brazil.
Detailed News:-
Over 800 compromised WordPress websites are being used in a large-scale campaign to spread banking trojans that target Brazilian e-banking users' credentials.
Researchers from Avast say the trojan used in this campaign is known as 'Chaes,' and it has been actively spreading since late 2021, according to them.
There are still hundreds of websites with malicious scripts installed that are pushing malware despite the fact that the security firm notified the Brazilian CERT about the campaign.
Chain of events in an attack
A fake Java Runtime app is presented to the victim when they visit one of the compromised websites.
Python environment is prepared for the next stage loader in the MSI installer by three malicious JavaScript files (intl install, intl scheduled, and intl successor).
It is up to the C2's sucesso.js script to report the current state of the system to the Scheduled Task and Startup links created by sched.js.
The install.js script, on the other hand, takes care of the following:
Make sure you have an Internet connection before continuing (using google.com)
Create a folder called 'extensions' in your APPDATA directory.
The extensions folder is a good place to store password-protected archives such as the aforementioned python32.zip and python64.zip.
Create an extension folder in HKEY CURRENT USERSoftwarePythonConfigPath and enter its path there.
Executes an elementary system profiling task
To unpack python32.rar and python64.rar, run unrar.exe with the password specified as an argument.
Use C2 to download Python scripts for 32- and 64-bit operating systems, as well as two encrypted payloads. Payload names are generated using a pseudo-random algorithm.
Scripts, shellcode, and Delphi DLLs are all loaded into memory as the Python loader chain proceeds, and the final payload is executed within a Python process.
Instructions.js fetches the Chrome extensions and installs them on the victim's computer in the final stage. As a final step, all extensions are launched with the appropriate arguments in place.
Add-ons for Chrome
Among the malicious Chrome browser extensions found on infected devices, according to Avast, are the following:
Using the Internet, the victim is fingerprinted and a registry key is logged.
PascalScripts can be received by Mtps4 by connecting to the C2. A full-screen screenshot can be taken and displayed to hide any malicious processes that are currently running in the background.
Chrolog – Exfiltrates Google Chrome's database to the C2 via HTTP to steal passwords.
In the background, Chronodx is a loader and JS banking trojan that awaits the launch of Google Chrome. Immediately reopens its own instance of Chrome, which makes banking information collection possible, if the browser is open.
Targets the Mercado Libre credentials of Chremows.
Even if the websites are cleaned, those who have been compromised by the Chaes campaign are still at risk.
As Avast asserts, a large number of infected systems are likely to have been infected via compromised websites that were abused to drop the payloads.
Post a Comment
Your suggestions and comments are welcome