MercadoLibre E-commerce Company Infected with Chaes Malware

Cybereason Nocturnus security researchers reported that the Chaes malware has been detected in MercadoLibre, Latin America’s largest e-commerce platform.

Cybereason Nocturnus security researchers reported that the Chaes malware has been detected in MercadoLibre, Latin America’s largest e-commerce platform. 

According to Cybereason, Chaes has infected customers via phishing campaigns, in which emails claim that a MercadoLivre purchase has been successful using an Avast signature.

Assaf Dahan, Cybereason Head of Threat Research explained that the emails contained a malicious .docx file attachment which executes “a template injection technique, using Microsoft Word’s built-in feature to fetch a payload from a remote server” once it is opened. 

Once opened, the files will establish a connection with the attacker’s command-and-control (C2) server, as well as download the first malicious payload, a .msi before deploying  a .vbs file used to execute other processes, as well as uninstall.dll and engine.bin, that both act as the malware’s “engine.” 

The malware also installs hhc.exe, hha.dll, and chaes1.bin before it starts to hijack its victim’s Chrome browser to steal system information, sensitive information from browser sessions, harvest login credentials for online accounts, and exfiltrate financial information, and even visit the MercadoLibre domain. 

“The alarming part in this node.js-based malware is the fact the majority of this behavior is considered normal, as the usage of the Puppeteer library for web scraping is not malicious by nature,” said Cybereason.

The company has not yet released a statement on the report while its customers have not reportedly been informed of a possible breach. 


© Fourth Estate® — All Rights Reserved.
This material may not be published, broadcast, rewritten or redistributed.