Skip to content

S0631 Chaes

Chaes is a multistage information stealer written in several programming languages that collects login credentials, credit card numbers, and other financial information. Chaes was first observed in 2020, and appears to primarily target victims in Brazil as well as other e-commerce customers in Latin America.1

Item Value
ID S0631
Associated Names
Version 1.1
Created 30 June 2021
Last Modified 24 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Chaes has used HTTP for C2 communications.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Chaes has added persistence via the Registry key software\microsoft\windows\currentversion\run\microsoft windows html help.1
enterprise T1185 Browser Session Hijacking Chaes has used the Puppeteer module to hook and monitor the Chrome web browser to collect user information from infected hosts.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Chaes has used cmd to execute tasks on the system.1
enterprise T1059.005 Visual Basic Chaes has used VBscript to execute malicious code.1
enterprise T1059.006 Python Chaes has used Python scripts for execution and the installation of additional files.1
enterprise T1059.007 JavaScript Chaes has used JavaScript and Node.Js information stealer script that exfiltrates data using the node process.1
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers Chaes can steal login credentials and stored financial information from the browser.1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Chaes has used Base64 to encode C2 communications.1
enterprise T1140 Deobfuscate/Decode Files or Information Chaes has decrypted an AES encrypted binary file to trigger the download of other files.1
enterprise T1573 Encrypted Channel Chaes has used encryption for its C2 channel.1
enterprise T1048 Exfiltration Over Alternative Protocol Chaes has exfiltrated its collected data from the infected machine to the C2, sometimes using the MIME protocol.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.001 DLL Search Order Hijacking Chaes has used search order hijacking to load a malicious DLL.1
enterprise T1105 Ingress Tool Transfer Chaes can download additional files onto an infected machine.1
enterprise T1056 Input Capture Chaes has a module to perform any API hooking it desires.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Chaes has used an unsigned, crafted DLL module named hha.dll that was designed to look like a legitimate 32-bit Windows DLL.1
enterprise T1112 Modify Registry Chaes can modify Registry values to stored information and establish persistence.1
enterprise T1106 Native API Chaes used the CreateFileW() API function with read permissions to access downloaded payloads.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.011 Fileless Storage Some versions of Chaes stored its instructions (otherwise in a instructions.ini file) in the Registry.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Chaes has been delivered by sending victims a phishing email containing a malicious .docx file.1
enterprise T1113 Screen Capture Chaes can capture screenshots of the infected machine.1
enterprise T1539 Steal Web Session Cookie Chaes has used a script that extracts the web session cookie and sends it to the C2 server.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.004 InstallUtil Chaes has used Installutill to download content.1
enterprise T1218.007 Msiexec Chaes has used .MSI files as an initial way to start the infection chain.1
enterprise T1082 System Information Discovery Chaes has collected system information, including the machine name and OS version.1
enterprise T1033 System Owner/User Discovery Chaes has collected the username and UID from the infected machine.1
enterprise T1221 Template Injection Chaes changed the template target of the settings.xml file embedded in the Word document and populated that field with the downloaded URL of the next payload.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Chaes requires the user to click on the malicious Word document to execute the next part of the attack.1