Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Chaes

Chaes is a multistage information stealer written in several programming languages that collects login credentials, credit card numbers, and other financial information. Chaes was first observed in 2020, and appears to primarily target victims in Brazil as well as other e-commerce customers in Latin America.(Citation: Cybereason Chaes Nov 2020)
ID: S0631
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 30 Jun 2021
Last Modified: 24 Mar 2023

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Chaes has used HTTP for C2 communications.(Citation: Cybereason Chaes Nov 2020)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Chaes has added persistence via the Registry key software\microsoft\windows\currentversion\run\microsoft windows html help.(Citation: Cybereason Chaes Nov 2020)

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Chaes has used cmd to execute tasks on the system.(Citation: Cybereason Chaes Nov 2020)

.005 Command and Scripting Interpreter: Visual Basic

Chaes has used VBscript to execute malicious code.(Citation: Cybereason Chaes Nov 2020)

.006 Command and Scripting Interpreter: Python

Chaes has used Python scripts for execution and the installation of additional files.(Citation: Cybereason Chaes Nov 2020)

.007 Command and Scripting Interpreter: JavaScript

Chaes has used JavaScript and Node.Js information stealer script that exfiltrates data using the node process.(Citation: Cybereason Chaes Nov 2020)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Chaes can steal login credentials and stored financial information from the browser.(Citation: Cybereason Chaes Nov 2020)

Enterprise T1132 .001 Data Encoding: Standard Encoding

Chaes has used Base64 to encode C2 communications.(Citation: Cybereason Chaes Nov 2020)

Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

Chaes has used search order hijacking to load a malicious DLL.(Citation: Cybereason Chaes Nov 2020)

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Chaes has used an unsigned, crafted DLL module named hha.dll that was designed to look like a legitimate 32-bit Windows DLL.(Citation: Cybereason Chaes Nov 2020)

Enterprise T1027 .011 Obfuscated Files or Information: Fileless Storage

Some versions of Chaes stored its instructions (otherwise in a `instructions.ini` file) in the Registry.(Citation: Cybereason Chaes Nov 2020)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Chaes has been delivered by sending victims a phishing email containing a malicious .docx file.(Citation: Cybereason Chaes Nov 2020)

Enterprise T1218 .004 System Binary Proxy Execution: InstallUtil

Chaes has used Installutill to download content.(Citation: Cybereason Chaes Nov 2020)

.007 System Binary Proxy Execution: Msiexec

Chaes has used .MSI files as an initial way to start the infection chain.(Citation: Cybereason Chaes Nov 2020)

Enterprise T1204 .002 User Execution: Malicious File

Chaes requires the user to click on the malicious Word document to execute the next part of the attack.(Citation: Cybereason Chaes Nov 2020)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.