Chaes Banking Trojan Uses Malicious Google Chrome Extensions to Steal Credentials Stored

In the recent era, the threat actors are actively exploiting the vulnerable networks to target the users to steal confidential and valuable data. In an active campaign, it has been detected that a banking trojan dubbed “Chaes” using 800 compromised WordPress sites and malicious Google Chrome extensions to spread and steal stored credentials.

The cybersecurity analysts at Avast security have claimed that since late 2021 Chaes banking trojan is spreading and primarily targeting the credentials of Brazilian e-banking users.

However, after detecting this active campaign, the experts at Avast have already notified the Brazilian CERT (BR Cert), and not only that even they have also asserted that there are still hundreds of compromised websites that are spreading this banking trojan.


Chaes use scripting frameworks that are written in Delphi and malicious Google Chrome extensions. And here is the scripting framework used:-

  • JScript
  • Python
  • NodeJS
  • Binaries

That’s why Chaes is well-known for the multiple-stage delivery, and the primary aim of Chaes is to steal all the credentials stored in Chrome and log in sessions of the banking websites.

When one of the compromised websites was visited by the victim, instantly, a pop-up window appeared asking the victim to install a fake Java Runtime application.

The installer that gets downloaded is a MSI installer consists of three elements, and here they are:-

  • install.js
  • sched.js
  • success.js 

All these three elements are used by the installer in the Python environment for the next stage loader. Once done, then next, the Python loader loads several scripts and files like Delphi scripts, shellcode, and DLLs.

In the final stage by compiling all the arguments, the Instructions.js starts fetching the Chrome extensions and then installing them on the compromised system of the victim.

Chrome extensions used

Here are the extensions used:-

  • Online – This extension prints the victim’s fingerprints and writes a registration key.
  • Mtps4 – This extension connects to the C2 and then waits for the incoming PascalScripts.
  • Chrolog – By exfiltrating the database to C2 over HTTP, this extension steals Google Chrome passwords.
  • Chronodx – This extension runs the trojan silently in the background, and then it waits for the Chrome to launch.

Moreover, in this ongoing malicious campaign, several popular websites in Brazil are also compromised to drop malicious payloads and cover a large number of the infected system.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.