Chaes is a multistage information stealer written in several programming languages that collects login credentials, credit card numbers, and other financial information. Chaes was first observed in 2020, and appears to primarily target victims in Brazil as well as other e-commerce customers in Latin America.
|Enterprise||T1071||.001||Application Layer Protocol: Web Protocols|
|Enterprise||T1547||.001||Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder||
Chaes has added persistence via the Registry key
|Enterprise||T1185||Browser Session Hijacking||
Chaes has used the Puppeteer module to hook and monitor the Chrome web browser to collect user information from infected hosts.
|Enterprise||T1059||.003||Command and Scripting Interpreter: Windows Command Shell|
|.005||Command and Scripting Interpreter: Visual Basic|
|.006||Command and Scripting Interpreter: Python||
Chaes has used Python scripts for execution and the installation of additional files.
|Enterprise||T1555||.003||Credentials from Password Stores: Credentials from Web Browsers||
Chaes can steal login credentials and stored financial information from the browser.
|Enterprise||T1132||.001||Data Encoding: Standard Encoding|
|Enterprise||T1140||Deobfuscate/Decode Files or Information||
Chaes has decrypted an AES encrypted binary file to trigger the download of other files.
|Enterprise||T1048||Exfiltration Over Alternative Protocol||
Chaes has exfiltrated its collected data from the infected machine to the C2, sometimes using the MIME protocol.
|Enterprise||T1574||.001||Hijack Execution Flow: DLL Search Order Hijacking||
Chaes has used search order hijacking to load a malicious DLL.
|Enterprise||T1105||Ingress Tool Transfer||
Chaes can download additional files onto an infected machine.
Chaes has a module to perform any API hooking it desires.
|Enterprise||T1036||.005||Masquerading: Match Legitimate Name or Location||
Chaes has used an unsigned, crafted DLL module named
Chaes can modify Registry values to stored information and establish persistence.
Chaes used the
|Enterprise||T1027||.011||Obfuscated Files or Information: Fileless Storage||
Some versions of Chaes stored its instructions (otherwise in a
|Enterprise||T1566||.001||Phishing: Spearphishing Attachment||
Chaes has been delivered by sending victims a phishing email containing a malicious .docx file.
|Enterprise||T1539||Steal Web Session Cookie||
Chaes has used a script that extracts the web session cookie and sends it to the C2 server.
|Enterprise||T1218||.004||System Binary Proxy Execution: InstallUtil|
|.007||System Binary Proxy Execution: Msiexec||
Chaes has used .MSI files as an initial way to start the infection chain.
|Enterprise||T1082||System Information Discovery||
Chaes has collected system information, including the machine name and OS version.
|Enterprise||T1033||System Owner/User Discovery||
Chaes has collected the username and UID from the infected machine.
Chaes changed the template target of the settings.xml file embedded in the Word document and populated that field with the downloaded URL of the next payload.
|Enterprise||T1204||.002||User Execution: Malicious File||
Chaes requires the user to click on the malicious Word document to execute the next part of the attack.