The Chaes malware has returned as a new, more advanced variant that includes a custom implementation of the Google DevTools protocol for direct access to the victim's browser functions, allowing it to steal data using WebSockets.
The malware first appeared in the wild in November 2020, targeting e-commerce clients in Latin America. Its operations significantly expanded by late 2021 when Avast observed it using 800 compromised WordPress sites to distribute the malware.
Upon infection,
Chaes installs malicious extensions in the victim's Chrome browser to establish persistence, captures screenshots, steals saved passwords and credit cards, exfiltrates cookies, and intercepts online banking credentials.
The new Chaes version was spotted by Morphisec in January 2023, seen targeting primarily platforms like Mercado Libre, Mercado Pago, WhatsApp Web, Itau Bank, Caixa Bank, MetaMask, and many CMS services like WordPress and Joomla.
The infection chain in the latest campaign remains the same as those seen in the past, involving deceptive MSI installers that trigger a multi-step infection that uses seven distinct modules that perform various functions.
