'Chaes' Infostealer Code Contains Hidden Threat Hunter Love Notes

Analysis of the infostealer malware version 4.1 includes hidden ASCII art and a shout-out thanking cybersecurity researchers.

ASCII art in the shape of a heart
Source: Grenar via Alamy Stock Photo

Appearing flattered by the dogged analysis of Chaes malware over the years, the infostealer's developer dropped secret messages in the latest version of the code praising threat hunter efforts and thanking them for the interest.

Analysis of infostealer Chaes 4.1 in debug mode reveals a number of intricate ASCII art pieces hidden within the code, according to Morphisec malware researcher Arnold Osipov, who also received a special shout-out message from the malware developers, also hidden within the infostealer malware code.

"We spend several hours of our lives trying to write code that is work being analysed by such talented researchers like yourself," the message from the Chaes developers addressed specifically to Osipov read. "We sincerely hope our efforts meet your expectations."

The code also contains a mention that the Chaes team was discovered by Cybereason three years ago. "We are still a bae," they wrote.

The current Chaes campaign being tracked by Osipov uses a Portuguese-language email, purportedly from an attorney about an urgent legal matter. If the user clicks the malicious link they are delivered to a spoofed website for TotalAV, asked to add their password to download a document, which then serves up the MSI installer, Morphisec's new report explained. The latest version of the Chaes framework included some improvements, notably in the "Chronod" module, which intercepts victim browser activity, the research found.

"The threat actor has a history of expressing appreciation to security researchers for helping in the improvement of their 'software," the report added. "However, this is the first time such gratitude has been expressed directly within the code."

About the Author

Becky Bracken, Senior Editor, Dark Reading

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights