Security researchers have revealed the PYSA ransomware gang has started using a Golang-based Trojan (RAT) called ChaChi as part of a new campaign against educational organizations.
According to the BlackBerry Threat Research and Intelligence SPEAR Team, The PYSA crime gang developed the ChaChi malware, which is named after two key components of the RAT, Chashell and Chisel.
Researchers estimate the hackers developed ChaChi no earlier than mid-2019, but they believe its development likely occurred near the beginning of 2020.
Hackers used the earliest variant of this malware in attacks on French government authorities’ networks in March of 2020. Since then, researchers have observed it in attacks on health care organizations, private companies, and educational establishments. Recent PYSA ransomware attacks have targeted higher education and K-12 schools across 12 states and in the UK.
“After initial sightings in attacks during the first quarter of 2020, ChaChi’s code was altered to include obfuscation and persistence in late March or early April. Very soon after that, we started seeing ChaChi variants with the added DNS tunnelling and Port-Forwarding/Proxy functionality. There have been few noteworthy changes after that point,” researchers said.
In addition to installing ChaChi, the latest PYSA campaign uses PowerShell scripts to uninstall/stop/disable antivirus and other essential services.
Researchers said that by using Golang to develop ChaChi, PYSA ransomware operators can frustrate detection and prevention efforts by analysts and tools unfamiliar with the language.
RELATED RESOURCE
“The earliest version of ChaChi lacked several features of more mature malware, but its rapid evolution and recent deployment against national governments, healthcare organizations, and educational institutions indicates this malware is being actively developed and improved,” said researchers.
Researchers added that the malware is a “powerful tool” in the hands of malicious actors who are targeting industries notoriously susceptible to cyber attacks.
“It has demonstrated itself as a capable threat, and its use by PYSA ransomware operatives is a cause for concern, especially at a time when ransomware is experiencing alarming success through a string of high-profile attacks including campaigns conducted by REvil, Avaddon and DarkSide,” said researchers.
Researchers warned that organizations ignoring this threat do so at their own risk, especially in a year of one-after-another cyber security disasters.
-
Tapping into the ’touch grass’ movement in cybersecurityIndustry Insights With cybersecurity experiencing a ’touch grass’ moment, what role should resellers play?
-
Cyber resilience in the UK: learning to take the punchesColumn UK law now puts resilience at the centre of cybersecurity strategies – but is legislation simply catching up with enterprise understanding that resilience is more than just an IT issue?
-
15-year-old revealed as key player in Scattered LAPSUS$ HuntersNews 'Rey' says he's trying to leave Scattered LAPSUS$ Hunters and is prepared to cooperate with law enforcement
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Impact of Asahi cyber attack laid bare as company confirms 1.5 million customers exposedNews No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
A notorious ransomware group is spreading fake Microsoft Teams ads to snare victimsNews The Rhysida ransomware group is leveraging Trusted Signing from Microsoft to lend plausibility to its activities
-
Volkswagen confirms security ‘incident’ amid ransomware breach claimsNews Volkswagen has confirmed a security "incident" has occurred, but insists no IT systems have been compromised.
-
The number of ransomware groups rockets as new, smaller players emergeNews The good news is that the number of victims remains steady
-
Teens arrested over nursery chain Kido hacknews The ransom attack caused widespread shock when the hackers published children's personal data
