Security Affairs
Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Phishing campaign targets LATAM e-commerce users with Chaes Malware

Experts from Cybereason Nocturnus uncovered an active campaign that targets users of a large e-commerce platform in Latin America with Chaes malware. Cybereason Nocturnus security researchers have identified an active campaign focused on the users of a large e-commerce platform in Latin America. Experts at Cybereason Nocturnus have uncovered an active campaign targeting the users […]

Chaes malware

Experts from Cybereason Nocturnus uncovered an active campaign that targets users of a large e-commerce platform in Latin America with Chaes malware.

Cybereason Nocturnus security researchers have identified an active campaign focused on the users of a large e-commerce platform in Latin America.

Experts at Cybereason Nocturnus have uncovered an active campaign targeting the users of a large e-commerce platform in Latin America with malware tracked as Chaes.

The Chaes malware was first spotted in the middle to late 2020 by Cybereason researchers, it is a multistage information stealer that focuses
on Brazilian customers of MercadoLivre, the largest e-commerce company in Latin America.  In 2019, over 320 million users were registered with the MercadoLivre e-commerce platform. 

Chaes is written in several programming languages including Javascript,
Vbscript, .NET , Delphi and Node.js. Experts believe that the malicious code is under development.

“Chaes specifically targets the Brazilian website of e-commerce company MercadoLivre and its payment page MercadoPago to steal its customers’ financial information. The final payload of Chaes is a Node.Js information stealer that exfiltrates data using the node process.” reads the analysis published by Cybereason.

Chaes is also able to take screenshots of the victim’s machine, and
hook and monitor the Chrome web browser to collect user information from infected hosts.

The kill chain starts with phishing messages that use a .docx file that once is opened triggers a template injection attack.

Upon connecting to the command-and-control server, the malware downloads the first malicious payload in the form of a .msi file, which deploys a .vbs file used to execute other processes, as well as uninstall.dll and engine.bin. The malware also installs three other files, hhc.exe, hha.dll and chaes1.bin, researchers also observed the use of a cryptocurrency mining module. 

Chaes malware

The attackers use Microsoft Word’s built-in feature to fetch a payload from a remote server, by changing the template target of the settings.xml file which is embedded in the document and populating this field with a download URL of the next payload.

Chaes attack chain is composed of several stages that include the use
of LoLbins and other legitimate software to avoid detection by AV products.

Experts observed several variants over the recent months, it authors have improved encryption and implemented new functionality of the final Node.js module.

“Multistage malware that uses such techniques in the LATAM region and specifically in Brazil have already been observed and investigated by Cybereason in the past years. Chaes demonstrates how sophisticated and creative malware authors in the Latin America region can be when attempting to reach their goals.” concludes the report. “The malware not only serves as a warning sign to information security researchers and IT professionals not to take lightly the existence of files that are legitimate in nature, but also raises the concern of a possible future trend in using the Puppeteer library for further attacks in other major financial institutions”

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]