A new Trojan written in the Go programming language has moved from attacks on government agencies to American schools.
The BlackBerry Threat Research and Intelligence research team said on Wednesday that the malware, dubbed ChaChi, is also being used as a key element in launching ransomware attacks.
ChaChi is written in GoLang (Go), a programming language that is now widely adopted by threat actors who are moving away from C and C ++ due to its versatility and ease of building cross-platform code.
According to Intezer, there has been an approximately 2,000% increase in Go-based malware samples over the past few years.
“Because this is such a new phenomenon, many tools essential to the scanning process are still catching up,†BlackBerry noted. “It can make Go a more difficult language to analyze. ”
ChaChi was spotted in the first half of 2020, and the original variant of the Remote Access Trojan (RAT) has been linked to cyberattacks against French local authorities, listed by CERT France in an Indicators of Compromise (IoC ) (.PDF); but now a much more sophisticated variant has appeared.
The latest available samples have been linked to attacks on major American schools and educational organizations.
Compared to the first ChaChi variant, which had mediocre obfuscation and low-level capabilities, the malware is now capable of performing typical RAT activities, including backdoor creation and data exfiltration, as well. as credential dump through Local Security Authority Subsystem Service (LSASS), network enumeration, DNS tunnel, SOCKS proxy functionality, service creation, and lateral movement across networks.
The malware also uses a publicly available GoLang tool, gobfuscate, for obfuscation.
ChaChi is named after Chashell and Chisel, two standard tools used by malware in attacks and modified for these purposes. Chashell is a reverse shell provider over DNS, while Chisel is a port forwarding system.
BlackBerry researchers believe the Trojan is the work of PYSA / Mespinoza, a threat group that has been around since 2018. This group is known to run ransomware campaigns and use the extension. PYSA when the victim’s files have been encrypted, meaning “Protect Your System Amigo”.
The FBI has previously warned of an increase in PYSA attacks on British and American schools.
Typically, the team says PYSA is focused on “big game hunting” – picking lucrative targets with big wallets capable of paying hefty sums of money when ransom is demanded. These attacks are targeted and are often controlled by a human operator rather than a task of automated tools.
“This is a notable operational change from previous notable ransomware campaigns such as NotPetya or WannaCry,†the researchers say. “These actors use advanced knowledge of corporate networks and misconfigurations of security to achieve lateral movement and access victim environments.”
Prior and related coverage
Do you have any advice? Contact us securely via WhatsApp | Call +447 713 025 499, or Keybase: charlie0
