Chaes Banking Trojan Grabs Sensitive Details Via 800 Compromised WordPress Sites

First documented by Cybereason in November 2020, a banking trojan dubbed Chaes which is an info-stealing malware is delivered via a sophisticated infection chain that’s engineered to harvest sensitive consumer information, including login credentials, credit card numbers, and other financial information. It has compromised over 800 WordPress websites and it’s targeting Brazilian customers of Banco do Brasil, Loja Integrada, Mercado Bitcoin, Mercado Livre and Mercado Pago. And uses a fake version of Chrome to do its evil work.

Eddy Bobritsky, CEO of Minerva Labs provided this comment:

Browser based attacks are one of the most common vectors used by adversaries to gain control of an internal system on a target network.

Attackers usually exploit known and unknown (zero-day) vulnerabilities in browser applications, either by running malicious ads on unsuspecting websites, or injected browser extension.

This has become such a widespread issue, that most endpoint security vendors now offer browser isolation features to protect from these types of attacks.

Saryu Nayyar, CEO and Founder, Gurucul added her thoughts:

“This is a multi-stage browser-based attack that is focused on harvesting user credentials, primarily targeting banking customers accounts. While consumers need to be vigilant and cautious before clicking on any unusual links at these compromised sites, banking institutions can also help their customers by implementing solutions that identify suspicious logins and unusual transactions. Behavior based fraud analytics that baselines user activity and monitors for unusual transactions are a critical solution that must be part of a layered security program within financial institutions.”

Given the scope of this threat, the only real mitigation is just to be super careful in terms of what you click on. That’s true in the best of times, but it’s really important in light of this threat.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: