A new Python-rewritten variant of the Chaes banking malware — dubbed Chae$4 — was delivered through 800 compromised WordPress websites using fake Java and antivirus download prompts, deploying a modular attack framework that steals banking credentials, crypto wallet data, browser cookies, and payment transfers from Latin American financial platforms.
Stories Covered
Chae$4: Rewritten Python Chaes Malware Hits Banking and Logistics via 800 Compromised WordPress Sites
The Chaes banking malware, first identified in 2020 targeting e-commerce customers in Latin America (particularly Brazil), underwent a major architectural overhaul in its latest variant, internally referred to as Chae$4. Morphosec researchers shared technical analysis with The Hacker News documenting the key changes: the malware was rewritten entirely in Python, switching from a compiled binary to an interpreted language packaged as a Windows executable. The significance of the Python rewrite is detection evasion — traditional antivirus and endpoint detection products have more mature signature and behavioral detection for malware written in C, C++, and Visual Basic than for Python-compiled executables, and Chaes operators appear to have made the switch specifically to reduce detection rates. The same evasion rationale has been observed in Go-based and Rust-based malware, where the relative novelty of the language in the malware ecosystem means fewer samples exist for detection engines to train on.
Delivery relies on 800 compromised WordPress websites. When a victim visits one of these hijacked sites, a pop-up prompt appears claiming the visitor needs to install a Java runtime update or an antivirus solution to continue. Users who comply download a malicious MSI installer file that installs Chase Core — the primary orchestrator module. Chase Core does not directly execute the malicious payload; it establishes a WebSocket connection to the attacker’s command-and-control server and downloads additional specialized modules on demand. This modular architecture separates the delivery mechanism from the payload, allowing attackers to update individual components and reducing the likelihood that any single detection catches the entire operation at once. Persistence is maintained through a Windows scheduled task that runs continuously, with WebSocket-based C2 communication keeping the implant in a loop awaiting further instructions. The Cronod stealer module goes further, modifying browser shortcut files so that launching Chrome or Firefox actually runs the Cronod module first, which then connects to the browser instance via the Chrome DevTools Protocol to intercept activity from inside the browser itself.
The modular payload suite covers the full range of financial data on a victim machine. The Cronod module steals web browser login credentials and intercepts Bitcoin, Ethereum, and PIX payment transfers in transit. The Apita module targets the Itaú Unibanco desktop banking application specifically. The Kratos module extracts data from MercadoLibre, MercadoPago, and WhatsApp. The Stealer module harvests credit card data, cookies, autofill information, and session tokens from web browsers — a valid session cookie allows an attacker to log in as the victim without needing the password. The File Uploader module extracts data from the MetaMask browser extension, targeting cryptocurrency held in browser-based wallets. The attack surface Chae$4 covers is comprehensive: anyone who does online banking, holds cryptocurrency in browser extensions or exchange accounts, or uses financial platforms prevalent in Latin America is within scope. The delivery mechanism — fake update prompts on compromised legitimate websites — exploits the same instinct that security awareness training tries to reinforce for email phishing, but applied to websites that may appear entirely credible because they were once legitimate. The defense is the same as it has always been: do not install software prompted by a website pop-up, regardless of what urgency the message conveys.
Leave a Reply