Cybercriminals are using over 800 compromised WordPress websites to spread Chaes banking trojan. This Trojan steals the login credentials of e-banking users.
Researchers from Avast found that Chaes banking Trojan has been actively spreading since late 2021. It primarily targeted Brazilian e-banking users. The security firm also notified the Brazilian CERT.
When a user visits any of the compromised websites, it will show a pop-up requesting to install a fake Java Runtime app. This installer includes three malicious JavaScript files (install.js, sched.js, sucesso.js). These files prepare the base for further attack.
Here’s a photo explaining the infection chain.
After the successful installation of the Trojan on compromised systems, all web credentials, history, user profiles stored by Chrome will be sent to attackers. Here is the list of banking websites are being targeted.
- mercadobitcoin.com.br
- mercadopago.com.[ar|br]
- mercadolivre.com.br
- lojaintegrada.com.br
The company also found 5 different malicious Chrome browser extensions installed on the victim’s devices. These extensions serve different purposes.
- Online – Fingerprints the victim and writes a registry key.
- Mtps4 – Connects to the C2 and waits for incoming PascalScripts.
- Chrolog – Steals passwords from Google Chrome.
- Chronodx – A loader and JS banking trojan that runs silently in the background.
- Chremows – Targets Mercado Libre online marketplace credentials.
The security firm noted that the attack is still on and people whose systems have been compromised are still at the risk. The number of infected systems is likely large.
