fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Chaes Banking Trojan Hijacks Chrome with Malicious Extensions

Chaes Banking Trojan Hijacks Chrome with Malicious Extensions

A large-scale campaign involving over 800 compromised WordPress websites is spreading banking trojans that target the credentials of Brazilian e-banking users.

The trojan used in this campaign is called ‘Chaes,’ and according to researchers from Avast, its been actively spreading since late 2021.

Although the security firm notified the Brazilian CERT, the campaign is ongoing, with hundreds of websites still compromised with malicious scripts that push the malware.

Also Read: How To Anonymised The Data: What Are The Importance Of This?

The attack chain

When the victim visits one of the compromised websites, they are served with a pop-up that requests them to install a fake Java Runtime app.

Warning urging the user to download Java
Warning urging the user to download Java
Source: Avast

The MSI installer contains three malicious JavaScript files (install.js, sched.js, sucesso.js) that prepare the Python environment for the next stage loader.

The sched.js script adds persistence by creating a Scheduled Task and a Startup link, and sucesso.js is responsible for reporting the status to the C2.

Meanwhile, the install.js script performs the following tasks:

  • Check for Internet connection (using google.com)
  • Create %APPDATA%\\\\extensions folder
  • Download password-protected archives such as python32.rar/python64.rar and unrar.exe to that extensions folder
  • Write the path of the newly created extensions folder to HKEY_CURRENT_USER\\Software\\Python\\Config\\Path
  • Performs some basic system profiling
  • Execute unrar.exe command with the password specified as an argument to unpack python32.rar/python64.rar
  • Connect to C2 and download 32bit and 64bit __init__.py scripts along with two encrypted payloads. Each payload has a pseudo-random name.
The Chaes infection chain
The Chaes infection chain
Source: Avast

The Python loader chain unfolds in memory and involves loading multiple scripts, shellcode, and Delphi DLLs until everything is in place for executing the final payload within a Python process.

Also Read: Trusted Data Sharing Framework IMDA Announced In Singapore

The final stage is undertaken by instructions.js, which fetches the Chrome extensions and installs them on the victim’s system. Finally, all extensions are launched with the proper arguments.

Chrome extensions

Avast says they have seen five different malicious Chrome browser extensions installed on victim’s devices, including:

  • Online – Fingerprints the victim and writes a registry key.
  • Mtps4 – Connects to the C2 and waits for incoming PascalScripts. Also capable of capturing a screenshot and displaying it in full screen to hide malicious tasks running in the background.
  • Chrolog – Steals passwords from Google Chrome by exfiltrating the database to the C2 through HTTP.
  • Chronodx – A loader and JS banking trojan that runs silently in the background and waits for a Chrome launch. If the browser is opened, it will close it immediately and reopen its own instance of Chrome that makes banking info collection possible.
  • Chremows – Targets Mercado Libre online marketplace credentials.
Closing and relaunching Chrome
Closing and relaunching Chrome
Source: Avast

At this time, the Chaes campaign is still ongoing, and those who have been compromised will remain at risk even if the websites are cleaned.

Avast claims that some of the compromised websites abused for dropping the payloads are very popular in Brazil, so the number of infected systems is likely large.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us