A widespread campaign involving the compromise of more than 800 WordPress sites has been identified spreading malicious banking trojans designed to target the credentials of e-banking users based in Brazil.

Entitled Chaes, the trojan employed in the campaign has seen active use since the close of 2021, according to security researchers at Avast.

While the specialist security firm alerted the Brazilian CERT, the insidious campaign is still ongoing. The researchers recorded hundreds of sites across the web compromised by malicious scripts developed with the express purpose of pushing the malware.

Chain of attack

When the unsuspecting victim pays a visit to one of the websites compromised by the campaign, they are unceremoniously served with a malicious pop-up making a request to install what is actually a bogus Java Runtime application.

This MSI installer, comprising three different JavaScript files designed with malicious intentions, (sched.js, install.js, and sucesso.js), efficiently prepares the Python environment to receive the next phase loader.

While sched.js script ramps its persistence by launching a Scheduled Task along with a Start-up link, the sucesso.js script is then responsible for sending a status report to the command and control (C2) server.

At the same time, the install.js script is performing other tasks. Using google.com, it checks for internet connectivity and then creates a folder called %APPDATA%\\extensions before downloading password-protected archives like unrar.exe and python32.rar/python64.rar to this location.

Next it writes the path of the new extensions folder it has created to HKEY_CURRENT_USER\Software\Python\Config\Path and performs some rudimentary system profiling, executing the unrar.exe command with a specific password to ensure python32.rar/python64.rar is unpacked as required. Next, it connects to the C2 server and downloads 32 and 65 bit___init__.py-type scripts with two payloads that are encrypted. Every payload then has a randomly generated name.

This loader chain unfolds within memory and involves loading shellcode and multiple scripts, along with Delphi DLLs until the appropriate environment exists for the execution of the Pythion process’s ultimate payload.

The last phase is performed by instructions.js. It fetches the necessary Chrome extensions and then installs them directly on the user’s system. Finally, each extension is launched in turn with the correct arguments.

Malicious chrome browser extensions

According to Avast, the security firm has witnessed at least five different Chrome extensions installed on users’ devices. These include:

• Online (which effectively fingerprints the user before writing a registry key)
• Chrolog (designed to steal passwords from the Google Chrome browser by exfiltrating databases to the C2 server via HTTP)
• Mtps4 (quickly connects to C2 servers and waits for any incoming PascalScripts, while also being able to capture screenshots and then display them in full-screen mode to mask any malicious background tasks running)
• Chronodx (a JavaScript banking trojan and loader that can run silently and waits for when Chrome launches, only to close it instantly and reopen its own bogus version of Chrome that enables banking information collection)
• Chremows (specifically targets the Mercado Libre credentials in use)

At present, this cybercriminal campaign remains ongoing and any users compromised will still be at risk.