The Cybereason Nocturnus Team has been tracking a threat actor leveraging previously undetected malware dubbed “Chaes” to target e-commerce customers in Latin America (LATAM).
Chaes malware, which was first discovered in the middle to late 2020 by Cybereason, is a multistage information stealer that primarily targets Brazil and specifically the Brazilian customers of the largest e-commerce company in Latin America, MercadoLivre. In recent years, the LATAM cybercrime scene has evolved a great deal. Some of the most notorious malwarevariants that have been prominent in the region over the last year include Grandoreiro, Ursa and Astaroth.
LATAM cybercrime activities demonstrate unique features when it comes to TTP’s and how malware is propagated on an infected machine. Some of the shared similarities include:
• Leveraging of .MSI files as an initial way to start the infection chain
• The use of Delphi as the preferred language to write malware
• Extensive use of LOLBins to execute content
• Downloading additional legitimate tools to expand the malware’s capabilities and for obfuscation
When observing the shared behavior and mindset of LATAM-based threat actors, Cybereason researchers
observed that the malware authors emphasize the need to stay under the radar as much as possible, and prefer
to use already-existing tools or legitimate software if it fits their needs.