Ang Banking Trojan Chaes Nag-instalar sa Malisyoso nga Chrome Extension

Helga SmithEnero 30, 2022Katapusan nga Gi-update: Marso 11, 2022
2 pagbasa sa mga minuto

Nadiskobrehan ang dako nga kampanya ni Chaes banker, sa panahon nga mahitungod sa 800 Ang mga site sa WordPress nakompromiso. The Trojan mainly targets Brazilian users and uses five malicious extensions for the Chrome browser in its attacks.

Paggukod activity nadiskobrehan by Avast experts, who report that a new malware campaign started at the end of 2021. Initially, the malware was discovered back in 2020 by Cybereason mga analista, and then (as now) it was aimed at customers of Banco do Brasil, Loja Integrada, Mercado Bitcoin, Mercado Livre and Mercado Pago banks.

Now the researchers say the attack starts when the victim visits one of the hacked sites. There, the user sees a pop-up window asking to install a fake Java Runtime application.

Mga Trojan Chaes sa Banking

The MSI installer for thisappcontains three malicious files (install.js, sched.js, sucesso.js) that prepare the Python environment for the next stage loader. If the user follows the instructions, the malware initiates a complex bunker delivery procedure, which ends with the deployment of several modulesincluding spyware and remote-access module.

Mga Trojan Chaes sa Banking

Chays is characterized by multi-stage delivery, which involves environments such as JScript, Python and NodeJS, as well as binaries written in Delphi, and malicious extensions for Google Chrome. The ultimate goal of Chaes is to steal credentials stored in Chrome, as well as intercept logins and passwords from popular banking in Brazil. the researchers say.

Some intermediate payloads are not only encrypted, but also hidden in commented code inside the HTML pages of the awsvirtual[.]blogspot.com domain. At the final stage of the attack, the JavaScript dropper downloads and installs up to five malicious Chrome extensions on the victim’s system:

  1. OnlineDelphi module used to fingerprint the victim and transfer system information to the hackerscontrol server;
  2. Mtps4 (MultiTela Pascal) is a Delphi-based backdoor, the main purpose of which is to connect to the control server and wait for the response Pascal Script to be executed;
  3. Chrolog (ChromeLog) – steals passwords from Google Chrome, the module is also written in Delphi;
  4. Chronodx (Chrome Noder) is a JavaScript Trojan that, upon detecting the launch of the Chrome browser, immediately closes it and opens its own instance of Chrome containing a malicious module that steals banking information;
  5. Chremows (Chrome WebSocket) is a banking JavaScript Trojan that intercepts keystrokes and mouse clicks in Chrome to steal credentials (for Mercado Livre and Mercado Pago users).
Sa pagkakaron, the Chaes distribution campaign is still active and will continue until all compromised WordPress sites are secured. Avast analysts say that some of the sites that are used to deliver payloads are very popular in Brazil, so the number of infected systems is likely to be very high.

Tugoti ko nga pahinumdoman ka nga kami usab ang nagsulat niana Trojan sa bangko QakBot attacked over 17,000 tiggamit sa tibuok kalibutan, ug usab niana Anubis Hapit na ang Target sa Android Banker 400 Mga Gumagamit sa Pinansyal nga App.

Mga tag
Helga SmithEnero 30, 2022Katapusan nga Gi-update: Marso 11, 2022
2 pagbasa sa mga minuto

Helga Smith

Kanunay kong interesado sa siyensya sa kompyuter, ilabi na ang seguridad sa datos ug ang tema, nga gitawag karon "siyensya sa datos", sukad pa sa akong pagkabatan-on. Sa wala pa mosulod sa Virus Removal team isip Editor-in-chief, Nagtrabaho ko isip eksperto sa cybersecurity sa daghang kompanya, lakip ang usa sa mga kontraktor sa Amazon. Laing kasinatian: Naa koy pagtudlo sa mga unibersidad sa Arden ug Reading.

Pagbilin ug Tubag

Kini nga site naggamit sa Akismet aron makunhuran ang spam. Hibal-i kung giunsa ang pagproseso sa data sa imong komento.

Balik sa ibabaw nga buton