article featured image


Chaes is a banking trojan that was discovered in Brazil in November 2020 and has been active since then.

The researchers at Avast were the ones that discovered Chaes’s artifacts on more than 800 websites in total.

More than 700 of them are based on TLDs from Brazil. All of the affected websites are WordPress-based, meaning that the attack vector may have been the exploitation of vulnerabilities in the WordPress content management system.

An interesting characteristic of Chaes is its multi-stage distribution method, which makes use of programming frameworks such as JScript, Python, and NodeJS, binary files written in Delphi, as well as malicious Google Chrome extensions, among other things. Chaes’s ultimate objective is to steal passwords saved in Chrome and intercept logins to prominent financial websites in Brazil.

What Happened?

Over 800 infected WordPress websites are being used in a large-scale operation to disseminate banking trojans that are designed to steal the credentials of Brazilian e-banking customers.

When victims visit one of the hacked websites, they are greeted with a pop-up window that instructs them to download and install a bogus Java Runtime application (JRE).

The malicious JavaScript files (install.js, sched.js, and sucesso.js) in the MSI installer (install.js, sched.js, and sucesso.js) setup the Python environment for the next stage loader.

This is accomplished via the use of the scheduled.js script, which creates a Scheduled Task and a Startup link, and the sucesso.js script, which is responsible for reporting status to the C2.

The Python loader chain unfolds in the memory and requires loading several scripts, shellcode, and Delphi DLLs until everything is in place for the final payload to be executed inside a Python process, at which point the Python loader chain is completed.

This is completed by instructions.js, which gets the Chrome extensions and installs them on the victim’s computer in the final step. Last but not least, all extensions are started with the appropriate parameters.

As explained by BleepingComputer, the Chaes campaign is still in progress, and people who have been compromised will continue to be in danger long after the websites have been cleaned up.

How Can Heimdal™ Help?

Malware is the most encountered cybersecurity threat nowadays. To keep its assets well protected, a company should have the proper tools put in place. Take for instance our Heimdal Threat Prevention, a DNS traffic filtering tool and a product that works on emergent and hidden threats identification. The Heimdal’s security suite encompasses many more efficient products focused on different areas like ransomware encryption protection, patch management, or email security. Check out our home page to find more!

Did you enjoy this article? Follow us on LinkedInTwitterFacebookYoutube, or Instagram to keep up to date with everything we post!

Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.