'Chaes' Infostealer Code Contains Hidden Threat Hunter Love Notes

We Keep you Connected

'Chaes' Infostealer Code Contains Hidden Threat Hunter Love Notes

Analysis of the infostealer malware version 4.1 includes hidden ASCII art and a shout-out thanking cybersecurity researchers.
January 18, 2024
Appearing flattered by the dogged analysis of Chaes malware over the years, the infostealer's developer dropped secret messages in the latest version of the code praising threat hunter efforts and thanking them for the interest.
Analysis of infostealer Chaes 4.1 in debug mode reveals a number of intricate ASCII art pieces hidden within the code, according to Morphisec malware researcher Arnold Osipov, who also received a special shout-out message from the malware developers, also hidden within the infostealer malware code.
"We spend several hours of our lives trying to write code that is work being analysed by such talented researchers like yourself," the message from the Chaes developers addressed specifically to Osipov read. "We sincerely hope our efforts meet your expectations."
The code also contains a mention that the Chaes team was discovered by Cybereason three years ago. "We are still a bae," they wrote.
The current Chaes campaign being tracked by Osipov uses a Portuguese-language email, purportedly from an attorney about an urgent legal matter. If the user clicks the malicious link they are delivered to a spoofed website for TotalAV, asked to add their password to download a document, which then serves up the MSI installer, Morphisec's new report explained. The latest version of the Chaes framework included some improvements, notably in the "Chronod" module, which intercepts victim browser activity, the research found.
"The threat actor has a history of expressing appreciation to security researchers for helping in the improvement of their 'software," the report added. "However, this is the first time such gratitude has been expressed directly within the code."

Becky Bracken, Editor, Dark Reading

You May Also Like
Tips for Managing Cloud Security in a Hybrid Environment
Top Cloud Security Threats Targeting Enterprises
DevSecOps: The Smart Way to Shift Left
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
Passwords Are Passe: Next Gen Authentication Addresses Today’s Threats
The State of Supply Chain Threats
How to Deploy Zero Trust for Remote Workforce Security
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
2023 Snyk AI-Generated Code Security Report
2023 Software Supply Chain Attack Report
Understanding AI Models to Future-Proof Your AppSec Program
Increase Speed and Accuracy with AI Driven Static Analysis Auditing
The Developers Guide to API Security
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Cyber Resiliency 2023: How to Keep IT Operations Running, No Matter What
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.

source

TNC

LET US MANAGE YOUR SYSTEM
SO YOU CAN RUN YOUR BUSINESS

GET THE LATEST UPDATES, OFFERS, INFORMATION & MORE