Recent Webinar: Building an Adaptive Cyber Resilient Cloud
arrow-white arrow-white Watch now
close

Chae$ Chronicles: Version 4.1 Dedicated to Morphisec Researchers

Posted by Arnold Osipov on January 18, 2024
Find me on:

In ongoing efforts to monitor and analyze emerging cyber threats, Morphisec Threat Labs has recently turned its focus to Chae$ 4.1, an update to the Chaes malware Infostealer series. This version introduces key updates, including an improved Chronod module, and features a unique aspect: a direct message to the Morphisec team within the source code.

Chae$ hacking banners - 1200x628 (Blog image)

Introduction

This blog post will briefly touch upon the updates in Chae$ 4.1 and mention Morphisec’s initial interaction with the hackers. It will also cover several previously unknown details of the delivery chain.  

For those interested in an in-depth technical analysis, we have prepared a comprehensive report on Chae$ 4.1, available for download. 

Download the full Chae$ 4.1 technical analysis containing exclusive details. 

Chaes - Thank You-1

The Chae$ authors dedicated parts of their source code to the Morphisec researchers

 

Infection Chain 

Chaes 4.1 InfectionChain

The infection chain starts with an email written in Portuguese, which purports to be an urgent communication request from a lawyer regarding a legal case. The email pressured the victim with an urgent call for “prompt response”, or risk highly adverse legal repercussions. The email includes a link and a password to access the document from that link. 

Chaes 4.1 Email Phishing

Delivery via attacker Controlled Websites  

Upon clicking the provided link, the victim will be redirected to https://totalavprotection[.]shop/abrirProcesso.php?email=<victims_email>. Then, the victim will be prompted to input the provided password to download the document, which is a ZIP file. This website https://totalavprotection[.]shop additionally functions as a deceptive website for TotalAV, directly delivering the MSI installer without the intermediary step of a ZIP file. 

Chaes 4.1 TotalAV

Yet another website delivers the malicious payload directly as an MSI installer. https://www.webcamcheck[.]online/ A website that allegedly scans the machine for risks and suggests updating the machine’s driver after “scanning”. After the victim clicks the BLOCK button (marked in red), a JavaScript is executed in the background. The script is designed to mimic the appearance of a legitimate system scan. During the simulated scan, a hardcoded list of files is presented, giving the illusion of a comprehensive analysis of the victim’s computer.

Alert1

Following the scan, the victim is then shown with a crafted message: “Security Risk Detected” and urges the victim to download an updated driver to install the latest version and eliminate the risk.

Alert2

Clicking the button triggers the execution of a script named download.js. Whose purpose is to smuggle the malicious installer by decoding a zipped base64 blob. Following the activation of the installer, Chae$ 4.1 is activated.

Chae$ 4.1 — Changes

From this point onward, the attack chain remains similar to Morphisec’s previous analysis, except for some adjustments in the Chae$ framework. It has advanced from version 4 to 4.1, primarily characterized by modifications in the Chronod module.

Chaes-Flow-BasicThe full components of Chae$, as reviewed in the analysis of Chae$4

In fact, the advancement to Chae$ 4.1 is clearly shown in debug messages:

Chaes-Code-Banner

Following successful activation, exfiltrated data is delivered to the threat actor’s C2. Examining the C2s employed throughout distinct phases of the framework unveils the presence of the Chae$ team panel login page.

Chaes Portal

Full Technical Analysis of Chae$ 4.1

The attached report dives deeper into the new Chae$ variant. Read the full Chae$ 4.1 analysis to delve deeper into the mechanics of this evolved malware, its implications, and what businesses can do to safeguard themselves.

Chae$ Chronicles hacking banners - 800x200

How Morphisec Helps

Morphisec’s Automated Moving Target Defense (AMTD) technology uses a preventative approach to cybersecurity, using an ultra-lightweight agent to block unauthorized processes deterministically, rather than probabilistically. Protecting over 7,000 organizations and deployed at over nine million endpoints, Morphisec's ransomware prevention technology prevents unauthorized code from executing, regardless of whether a recognizable signature or behavior pattern exists.

If you don’t believe us, ask the Chae$ group:

Chaes-Good-JobMorphisec researchers were contacted by the threat actors, leading to an interesting exchange...

 

Schedule a demo to experience Morpisec’s advanced anti-ransomware, endpoint protection and risk-based vulnerability prioritization. Reduce Risk Now.

New call-to-action