Source: Grenar via Alamy Stock Photo
Appearing flattered by the dogged analysis of Chaes malware over the years, the infostealer's developer dropped secret messages in the latest version of the code praising threat hunter efforts and thanking them for the interest.
Analysis of infostealer Chaes 4.1 in debug mode reveals a number of intricate ASCII art pieces hidden within the code, according to Morphisec malware researcher Arnold Osipov, who also received a special shout-out message from the malware developers, also hidden within the infostealer malware code.
"We spend several hours of our lives trying to write code that is work being analysed by such talented researchers like yourself," the message from the Chaes developers addressed specifically to Osipov read. "We sincerely hope our efforts meet your expectations."
The code also contains a mention that the Chaes team was discovered by Cybereason three years ago. "We are still a bae," they wrote.
The current Chaes campaign being tracked by Osipov uses a Portuguese-language email, purportedly from an attorney about an urgent legal matter. If the user clicks the malicious link they are delivered to a spoofed website for TotalAV, asked to add their password to download a document, which then serves up the MSI installer, Morphisec's new report explained. The latest version of the Chaes framework included some improvements, notably in the "Chronod" module, which intercepts victim browser activity, the research found.
"The threat actor has a history of expressing appreciation to security researchers for helping in the improvement of their 'software," the report added. "However, this is the first time such gratitude has been expressed directly within the code."