CHAVECLOAK is a banking trojan targeting individuals in the South American financial sector. This Windows-based malware is designed to steal sensitive financial data, spread via phishing emails with malicious PDF attachments. Once active, it locks screens, logs keystrokes, and displays fake pop-ups while monitoring for banking activities.
CHAVECLOAK employs a DLL side-loading technique—placing a malicious DLL file where Windows will automatically load it—to execute its payload. Additionally, it connects to a command-and-control (C2) server for further instructions or to exfiltrate stolen credentials.
Behavioral Analysis of CHAVECLOAK
- File Location: CHAVECLOAK hides in the folder %AppData%\Skillbrains\lightshot\5.5.0.7.
- Execution Technique: Utilizes Lightshot.dll via DLL side-loading.
- Persistence: Creates a registry key at HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lightshot to ensure it runs after a system reboot.
- Communication: Connects to a C2 server for instructions and data exfiltration.
Indicators of Compromise (IoC):
Hash Type: | Value:
MD5 | c371047910a709f65fd85d10cde0ca4f
SHA256 | 4ab3024e7660892ce6e8ba2c6366193752f9c0b26beedca05c57dcb684703006
Infrastructure Setup
To demonstrate CHAVECLOAK detection using Argus, you need the following:
- Argus: Use the Argus OVA virtual machine to host Argus’s components (server, indexer, and dashboard).
- Windows 11 Endpoint: Install the Argus agent and enroll it with the Argus server.
Detection Techniques with Argus - Configuring Sysmon to Monitor Malware Activities
We use Sysmon to collect detailed system events and configure Argus to detect malicious behaviors.
Steps for Windows Endpoint Configuration:
- Download Sysmon: Sysinternals Sysmon https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
- Create Sysmon Directory: New-Item -ItemType Directory -Path C:\Sysmon
- Extract Sysmon Files: Expand-Archive -Path “\Sysmon.zip” -DestinationPath “C:\Sysmon” Replace with the file’s download location.
- Download Configuration File: wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile C:\Sysmon\sysmonconfig.xml
- Install Sysmon: cd C:\Sysmon
.\Sysmon64.exe -accepteula -i sysmonconfig.xml - Update Argus Agent Configuration:
Append this to C:\Program Files (x86)\ossec-agent\ossec.conf: Microsoft-Windows-Sysmon/Operational eventchannel - Restart the Argus Agent: Restart-Service -Name wazuh
Steps for Argus Server Configuration:
- Create Custom Rule File: touch /var/ossec/etc/rules/chavecloak_rules.xml
- Add Detection Rules: Add the following to chavecloak_rules.xml: 61613 msiexec.exe Lightshot.exe $(win.eventdata.image) created the executable $(win.eventdata.targetFilename). Possible CHAVECLOAK malware activity. T1204.002
- Restart Argus Server: systemctl restart wazuh-manager
- Monitoring File Integrity and Active Response
We use the File Integrity Monitoring (FIM) module to watch for malicious file changes and configure Argus’s active response to remove detected threats.
Windows Endpoint Configuration:
- Update FIM Module: Add the following to ossec.conf: C:\Users*\Downloads
- Restart Argus Agent: Restart-Service -Name wazuh
- Create Active Response Script: Save this Python script as remove-threat.py:
!/usr/bin/python3 #
Copyright (C) 2015-2022, Wazuh Inc. #
All rights reserved. #
import os
import sys
import json
import datetime
if os.name == ‘nt’:
LOG_FILE = “C:\Program Files (x86)\ossec-agent\active-response\active-responses.log”
else:
LOG_FILE = “/var/ossec/logs/active-responses.log”
ADD_COMMAND = 0
DELETE_COMMAND = 1
CONTINUE_COMMAND = 2
ABORT_COMMAND = 3
OS_SUCCESS = 0
OS_INVALID = -1
class message:
def init(self):
self.alert = “”
self.command = 0
def write_debug_file(ar_name, msg):
with open(LOG_FILE, mode=”a”) as log_file:
log_file.write(str(datetime.datetime.now().strftime(‘%Y/%m/%d %H:%M:%S’)) + ” ” + ar_name + “: ” + msg +”\n”)
def setup_and_check_message(argv):
# get alert from stdin
input_str = ""
for line in sys.stdin:
input_str = line
break
try:
data = json.loads(input_str)
except ValueError:
write_debug_file(argv[0], 'Decoding JSON has failed, invalid input format')
message.command = OS_INVALID
return message
message.alert = data
command = data.get("command")
if command == "add":
message.command = ADD_COMMAND
elif command == "delete":
message.command = DELETE_COMMAND
else:
message.command = OS_INVALID
write_debug_file(argv[0], 'Not valid command: ' + command)
return message
def send_keys_and_check_message(argv, keys):
# build and send message with keys
keys_msg = json.dumps({"version": 1,"origin":{"name": argv[0],"module":"active-response"},"command":"check_keys","parameters":{"keys":keys}})
write_debug_file(argv[0], keys_msg)
print(keys_msg)
sys.stdout.flush()
# read the response of previous message
input_str = ""
while True:
line = sys.stdin.readline()
if line:
input_str = line
break
# write_debug_file(argv[0], input_str)
try:
data = json.loads(input_str)
except ValueError:
write_debug_file(argv[0], 'Decoding JSON has failed, invalid input format')
return message
action = data.get("command")
if "continue" == action:
ret = CONTINUE_COMMAND
elif "abort" == action:
ret = ABORT_COMMAND
else:
ret = OS_INVALID
write_debug_file(argv[0], "Invalid value of 'command'")
return ret
def main(argv):
write_debug_file(argv[0], "Started")
# validate json and get command
msg = setup_and_check_message(argv)
if msg.command < 0:
sys.exit(OS_INVALID)
if msg.command == ADD_COMMAND:
alert = msg.alert["parameters"]["alert"]
keys = [alert["rule"]["id"]]
action = send_keys_and_check_message(argv, keys)
# if necessary, abort execution
if action != CONTINUE_COMMAND:
if action == ABORT_COMMAND:
write_debug_file(argv[0], "Aborted")
sys.exit(OS_SUCCESS)
else:
write_debug_file(argv[0], "Invalid command")
sys.exit(OS_INVALID)
try:
os.remove(msg.alert["parameters"]["alert"]["data"]["virustotal"]["source"]["file"])
write_debug_file(argv[0], json.dumps(msg.alert) + " Successfully removed threat")
except OSError as error:
write_debug_file(argv[0], json.dumps(msg.alert) + "Error removing threat")
else:
write_debug_file(argv[0], "Invalid command")
write_debug_file(argv[0], "Ended")
sys.exit(OS_SUCCESS)
if name == “main“:
main(sys.argv)
- Convert Script to Executable: pyinstaller -F remove-threat.py
- Move Executable to Active Response Bin: mv .\dist\remove-threat.exe “C:\Program Files (x86)\ossec-agent\active-response\bin”
- Restart Argus Agent: Restart-Service -Name wazuh
Argus Server Configuration:
- Set Up VirusTotal Integration: Add this to ossec.conf: virustotal 554,550 json Replace with your VirusTotal API key.
- Configure Active Response: remove-threat remove-threat.exe no no remove-threat local 87105
- Add Rules for Active Response:
657 Successfully removed threat $(parameters.program) removed threat located at $(parameters.alert.data.virustotal.source.file) T1107 T1485 - Restart Argus Server: systemctl restart wazuh-manager
Testing and Results
Place a sample of CHAVECLOAK malware in the monitored Downloads folder. Use the Argus dashboard to review alerts, including successful malware removal and file integrity monitoring events.