Previously unknown malware has been detected in widespread attacks against e-commerce customers in Latin America.
The malware, dubbed Chaes by Cybereason Nocturnus researchers, is being deployed by a threat actor across the LATAM region to steal financial information.
In a blog post[1] on Wednesday, the cybersecurity team said Brazilian customers of the area's largest e-commerce company, MercadoLivre, are the focus of the infostealing malware.
See also: Lazarus group strikes cryptocurrency firm through LinkedIn job adverts[2]
Headquartered in Buenos Aires, Argentina, MercadoLivre operates both an online marketplace and auctions platform. In 2019, an estimated 320.6 million users were registered with the e-commerce giant.
First detected in late 2020 by Cybereason, Chaes is spread via phishing campaigns, in which emails claim that a MercadoLivre purchase has been successful. To try and increase the email's look of legitimacy, the threat actors also appended a "scanned by Avast" footnote.
The messages contain a malicious .docx file attachment. Assaf Dahan, Cybereason Head of Threat Research, told ZDNet the attachment leverages "a template injection technique, using Microsoft Word's built-in feature to fetch a payload from a remote server."
If a victim clicks the file, the vulnerability is used to establish a connection with the attacker's command-and-control (C2) server, as well as download the first malicious payload, an .msi file.
This file then deploys a .vbs file used to execute other processes, as well as uninstall.dll and engine.bin, that both act as the malware's "engine." A further trio of files -- hhc.exe, hha.dll and chaes1.bin -- are installed that stitch together Chaes's main components. A cryptocurrency mining module was also recorded.
CNET: Rules for strong passwords don't work, researchers find. Here's what does[3]
Chaes creates registry keys to maintain persistence for the malware's