A new Python variant of the Chaes malware is posing a significant threat to the banking and logistics industries. This updated version, known as Chae$ 4, has undergone major transformations, including a complete rewrite in Python, resulting in lower detection rates by traditional defense systems.
It is particularly concerning as it targets e-commerce customers in Latin America, primarily Brazil, with the intent of stealing sensitive financial information. The malware’s architecture and delivery mechanism have evolved, but its primary goal remains the same: compromising victims’ systems and stealing data.
One noteworthy aspect of this malware is its deployment method, which involves compromised websites presenting victims with pop-up messages urging them to download software installers.
These installers lead to the deployment of malicious modules responsible for data theft and system compromise. The malware’s primary orchestrator module, ChaesCore, establishes a communication channel with a command-and-control (C2) server to fetch additional modules, each designed for various malicious activities, including stealing login credentials, intercepting cryptocurrency payments, and collecting data from specific applications.
The malware’s persistence on infected hosts is maintained through scheduled tasks, while communication with C2 servers relies on WebSockets. Of particular concern is its targeting of cryptocurrency transfers and instant payments via Brazil’s PIX platform, highlighting the financial motivations of the threat actors behind Chaes. This evolving malware demonstrates the adaptability of cybercriminals and the need for continuous vigilance and security updates to defend against such threats.
