The complicated trojan that aims to gather the credentials on Google Chrome, is currently being used by the threat actors. According to Avast, activities connected to the Chaes trojan are increasing. Currently, almost 70,000 of the Avast customers in Brazil are affected.
What is Chaes trojan?
Chaes is a trojan that can be hidden in WordPress websites and acts as a Java installer. More than 800 websites are carrying this trojan, all of them are WordPress-based. As Avast states, there are also highly credible sites among them. This indicates that the trojan distributing script might be placed on the websites with an unknown WordPress attack vector.
When a user goes to a compromised website, a popup welcomes the user that instructs to install Java. If the user follows the instructions, the user will be downloading a fake Java installer that looks pretty identical to the legitimate one. As the installation begins, the system becomes infected with Chaes trojan.
Complicated, multi-stage delivery
When the trojan is installed with a very complicated process consisting of Jscript, Phyton, and NodeJS as well as Delphi libraries and Google Chrome extensions, the hackers will be able to get the credentials of banking websites. Banking websites include traditional banks as well as cryptocurrency-oriented ones.
Avast researchers Anh Ho and Igor Morgenstern state that they immediately informed the Brazilian Computer Emergency Response Team with the hope of stopping spreading the Chaes trojan. The researchers have summarized the ongoing attacks as:
« Chaes exploits many websites containing CMS WordPress to serve malicious installers. Among them, there are a few notable websites for which we tried our best to notify BR Cert. The malicious installer communicates with remote servers to download the Python framework and malicious Python scripts which initiate the next stage of the infection chain. In the final stage, malicious Google Chrome extensions are downloaded to disk and loaded within the Python process. The Google Chrome extensions are able to steal users’ credentials stored in Chrome and collect users’ banking information from popular banking websites. »