Fresh Malware Targets Brazilian E-Commerce Site UsersResearchers Discover Phishing Campaign Spoofs Site
Researchers at the security firm Cybereason have uncovered a multistage malware variant that evades antivirus tools and is targeting users of a major Brazilian e-commerce site.
See Also: IVR Fraud: 'A Fraudsters' Playground'
The info-stealing malware, dubbed Chaes, is targeting users of MercadoLivre and its payment page MercadoPago to harvest login credentials, credit card numbers and other financial information.
"Chaes also takes screenshots of the infected machine ... and monitors the Chrome web browser to collect user information from infected hosts," the researchers note in the report released Wednesday.
First observed in August, the malware's activity spiked in October.
"Currently, the malware seems to target mostly Brazilian users," says Assaf Dahan, senior director, head of threat research at Cybereason. "However, there are Portuguese-speaking individuals living all over the globe, so it is possible that this threat has more victims outside of Latin America in other regions. Mercado Livre operates in many Latin American countries, so potentially Spanish-speaking users might be also targeted now or in the future."
The discovery of Chaes comes at a time when Brazilian cybercriminal gangs have become more bold with their use of malware and are seeking to target victims in the U.S., Europe and elsewhere (see: Brazilian Banking Trojans Spread to Other Nations).
Use of Legitimate Software
The Chaes malware uses LoLbins, a binary supplied by the operating system that is usually used for legitimate purposes but can also be abused. The use of this and other legitimate software makes the malware challenging to detect with antivirus tools, according to the report.
The attacks begin by sending the victim a phishing email - posing as the ecommerce site - that contains a malicious Word file, the report notes. This file also contains a vulnerability exploit tracked as CVE-2017-1999. Once the user clicks on the malicious file, it exploits the vulnerability and communicates with the command-and control server, called "evolved-thief[.]online", requesting the first payload - an MSI file.
MSI is a legitimate installer file format to deploy applications in Windows.
After the MSI file is executed, it drops Invisible.vbs, which the malware uses to execute other processes. This includes two other files called Uninstall.dll and engine.bin as well as other components. Once these are installed, the key objective is to download additional content and maintain a foothold on the infected machine, the researchers note.
The MSI file then spawns a Wscript child process using "invisible.vbs" to initiate the execution of the engine.bin content using the LOLBin InstallUtil. It also executes a process named "hhc.exe," which is a legitimate HTML Help Compiler process, the report notes.
Researchers note the hhc.exe process creates several .SQL files named "local.sql."
"These SQL databases are being used to extract sensitive information from the Chrome browser similar to other traditional information stealers; some of the SQL tables are related to credit cards, login credentials of websites and personal information of a user," the researchers state.
Once the Chrome browser is infected, pythonw.exe executes the final piece of the malware framework, which installs NodeJs in the infected machine in a location that contains the path "MicrosoftMediaOz." The Cybereason researchers explain: "The node.exe process will be the last part of the puzzle. It will be responsible for reacting according to code written in 'index.js' and sending the collected data from the infected machine to the [command-and-control]."
"The malware infection chain is perhaps one of the most complex and long infection chains observed in the region," Dahan notes. "It uses a myriad of techniques and a multistage installation, which enables the malware to remain under the radar. The malware authors seem to be proficient in several programming languages, and the use of NODE.js as one of the key components is considered quite rare in the realm of banking Trojans."