Security News > 2023 > September > Chaes malware now uses Google Chrome DevTools Protocol to steal data
The Chaes malware has returned as a new, more advanced variant that includes a custom implementation of the Google DevTools protocol for direct access to the victim's browser functions, allowing it to steal data using WebSockets.
A new feature that stands out is Chaes' use of the Chrome DevTools Protocol to steal data from the web browser, including the real-time modification of web pages, execution of JavaScript code, debugging, network request management, memory management, cookie and cache management, and more.
Chaes repeats the same process automatically for all the URLs the stealer module is configured to steal data from.
WebSockets supports persistent communications for real-time, low-latency data exchange, can transmit both text and binary data, does not require request caching or proxying, and is generally stealthier than HTTP. Morphisec reports that all messages exchanged between the C2 and the malware client are JSON formatted, base64 encoded, and AES encrypted.
Chaes is the first notable case of malware featuring a custom implementation of Google Chrome's DevTools protocol to perform malicious operations on infected systems, which underlines its aggressive nature.
Google Chrome to warn when installed extensions are malware.
News URL
Related news
- New Octo Android malware version impersonates NordVPN, Google Chrome (source)
- Google Chrome will let you send money to your favourite website (source)
- Google Chrome gets a mind of its own for some security fixes (source)
- Google Chrome Switches to ML-KEM for Post-Quantum Cryptography Defense (source)
- New Google Chrome feature will translate complex pages in real time (source)
- Cloud storage lockers from Microsoft and Google used to store and spread state-sponsored malware (source)
- Malware force-installs Chrome extensions on 300,000 browsers, patches DLLs (source)
- New Malware Hits 300,000 Users with Rogue Chrome and Edge Extensions (source)
- Azure domains and Google abused to spread disinformation and malware (source)
- Google fixes ninth Chrome zero-day exploited in attacks this year (source)