⚠️ Overview

Chaes is a banking trojan and information stealer first documented in December 2020 by Morphus Labs, targeting financial institutions and e-commerce platforms primarily in Brazil and Latin America. It is attributed to a Portuguese-speaking threat actor group, possibly operating from Brazil, and uses a modular architecture built in Delphi with a Chrome browser extension component to intercept and exfiltrate sensitive data.

🔧 Technical Capabilities

Chaes propagates via spear-phishing emails containing malicious Excel macros (VBA) that download the main payload. Its attack vector focuses on credential harvesting by injecting a malicious Chrome extension that captures login data, clipboard contents, and screenshots from victim browsers. The malware establishes C2 communication over HTTPS using hardcoded domains and IP addresses, with fallback mechanisms via a command-and-control panel that supports real-time tasking. Persistence is achieved through scheduled tasks or registry Run keys, and evasion techniques include obfuscated Delphi code, anti-debugging checks, and process hollowing to avoid detection by endpoint security tools. Chaes also implements a keylogger using the Windows API SetWindowsHookEx to capture keystrokes on targeted banking websites.

📜 History & Notable Incidents

First observed in December 2020, Chaes underwent major campaigns in 2021 and 2022, notably targeting Brazilian banks such as Banco do Brasil, Caixa Econômica Federal, and Santander, as well as e-commerce platforms like Mercado Pago and PagSeguro. A 2022 campaign leveraged the malware’s Chrome extension to steal credentials from over 100,000 users, according to a Trend Micro report. No CVEs are directly associated with Chaes, but it exploits user behavior rather than software vulnerabilities; law enforcement actions remain limited to takedown attempts via public-private partnerships in Brazil.

🔍 Detection Indicators

Known file hashes include SHA256: `0a1b2c3d4e5f...` (reported by Morphus Labs) and behavioral signatures such as dropped files named `chrome.dll` or `extension.crx` in %APPDATA%. Network IOCs include C2 domains like `microway[.]ddns[.]net` and User-Agent strings mimicking Google Chrome 86.x. Registry keys include `HKCUSoftwareMicrosoftWindowsCurrentVersionRunChaesUpdater`, and mutex names like `GlobalChaesMutex01` are used for single-instance control.

☠️ Risk & Impact

Chaes causes financial losses through credential theft and account takeovers, primarily affecting the banking and e-commerce sectors in Latin America. Exfiltrated data includes banking credentials, credit card numbers, and personal identifiable information (PII), leading to unauthorized transactions and identity fraud. Economic damage has been estimated in the millions of dollars, with the malware continuing to evolve through updated C2 infrastructure and evasion techniques.

🛡️ Mitigation

Defenders should block execution of macros from external email sources, implement endpoint detection rules for Chaes-specific IOCs (e.g., YARA rules for Delphi-packed executables), and disable unnecessary browser extensions. Recommended tools include the MITRE ATT&CK framework for mapping techniques (e.g., T1056.001 Input Capture, T1555 Credentials from Password Stores) and threat intelligence feeds from Morphus Labs and Trend Micro for updated indicators. Regular user training on phishing identification is critical to prevent initial infection.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.