Chaes
Chaes is a multistage information stealer written in several programming languages that collects login credentials, credit card numbers, and other financial information. Chaes was first observed in 2020, and appears to primarily target victims in Brazil as well as other e-commerce customers in Latin America.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1555 | .003 | 从密码存储中获取凭证: Credentials from Web Browsers |
Chaes can steal login credentials and stored financial information from the browser.[1] |
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
Chaes has used an unsigned, crafted DLL module named |
| Enterprise | T1112 | 修改注册表 |
Chaes can modify Registry values to stored information and establish persistence.[1] |
|
| Enterprise | T1573 | 加密通道 | ||
| Enterprise | T1574 | .001 | 劫持执行流: DLL Search Order Hijacking |
Chaes has used search order hijacking to load a malicious DLL.[1] |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Chaes has decrypted an AES encrypted binary file to trigger the download of other files.[1] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
Chaes has added persistence via the Registry key |
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell | |
| .005 | 命令与脚本解释器: Visual Basic | |||
| .006 | 命令与脚本解释器: Python |
Chaes has used Python scripts for execution and the installation of additional files.[1] |
||
| .007 | 命令与脚本解释器: JavaScript |
Chaes has used JavaScript and Node.Js information stealer script that exfiltrates data using the node process.[1] |
||
| Enterprise | T1113 | 屏幕捕获 | ||
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| Enterprise | T1132 | .001 | 数据编码: Standard Encoding | |
| Enterprise | T1048 | 替代协议渗出 |
Chaes has exfiltrated its collected data from the infected machine to the C2, sometimes using the MIME protocol.[1] |
|
| Enterprise | T1106 | 本机API |
Chaes used the |
|
| Enterprise | T1221 | 模板注入 |
Chaes changed the template target of the settings.xml file embedded in the Word document and populated that field with the downloaded URL of the next payload.[1] |
|
| Enterprise | T1185 | 浏览器会话劫持 |
Chaes has used the Puppeteer module to hook and monitor the Chrome web browser to collect user information from infected hosts.[1] |
|
| Enterprise | T1027 | .011 | 混淆文件或信息: Fileless Storage |
Some versions of Chaes stored its instructions (otherwise in a |
| Enterprise | T1204 | .002 | 用户执行: Malicious File |
Chaes requires the user to click on the malicious Word document to execute the next part of the attack.[1] |
| Enterprise | T1539 | 窃取Web会话Cookie |
Chaes has used a script that extracts the web session cookie and sends it to the C2 server.[1] |
|
| Enterprise | T1218 | .004 | 系统二进制代理执行: InstallUtil | |
| .007 | 系统二进制代理执行: Msiexec |
Chaes has used .MSI files as an initial way to start the infection chain.[1] |
||
| Enterprise | T1082 | 系统信息发现 |
Chaes has collected system information, including the machine name and OS version.[1] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
Chaes has collected the username and UID from the infected machine.[1] |
|
| Enterprise | T1105 | 输入工具传输 |
Chaes can download additional files onto an infected machine.[1] |
|
| Enterprise | T1056 | 输入捕获 |
Chaes has a module to perform any API hooking it desires.[1] |
|
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
Chaes has been delivered by sending victims a phishing email containing a malicious .docx file.[1] |