ChaChi: a new GoLang Trojan used in attacks against US schools

A new Trojan written in the Go programming language has pivoted from attacks against government agencies to US schools.

The research team from BlackBerry Threat Research and Intelligence said on Wednesday that the malware, dubbed ChaChi, is also being used as a key component in launching ransomware attacks.

ChaChi is written in GoLang (Go), a programming language that is now being widely adopted by threat actors in a shift away from C and C++ due to its versatility and the ease of cross-platform code compilation.

According to Intezer, there has been roughly a 2,000% increase in Go-based malware samples over the past few years.

“As this is such a new phenomenon, many core tools to the analysis process are still catching up,” BlackBerry noted. “This can make Go a more challenging language to analyze.”

ChaChi was spotted in the first half of 2020, and the original variant of the Remote Access Trojan (RAT) has been linked to cyberattacks against French local government authorities, listed by CERT France in an Indicators of Compromise (IoC) report (.PDF); but now, a far more sophisticated variant has appeared.

The latest samples available have been connected to attacks launched against large US schools and education organizations.

In comparison to the first variant of ChaChi, which had poor obfuscation and low-level capabilities, the malware is now able to perform typical RAT activities, including backdoor creation and data exfiltration, as well as credential dumping via the Windows Local Security Authority Subsystem Service (LSASS), network enumeration, DNS tunneling, SOCKS proxy functionality, service creation, and lateral movement across networks.

The malware also makes use of a publicly accessible GoLang tool, gobfuscate, for obfuscation purposes.

ChaChi is named as such due to Chashell and Chisel, two off-the-shelf tools used by the malware during attacks and modified for these purposes. Chashell is a reverse shell over DNS provider, whereas Chisel is a port-forwarding system.

BlackBerry researchers believe the Trojan is the work of PYSA/Mespinoza, a threat group that has been around since 2018. This group is known for launching ransomware campaigns and using the extension. PYSA when victim files have been encrypted, standing for “Protect Your System Amigo.”

The FBI has previously warned of an increase in PYSA attacks against both UK and US schools.

Generally, the team says that PYSA focuses on “big game hunting” — picking lucrative targets with big wallets able to pay vast amounts when a ransom is demanded. These attacks are targeted and are often controlled by a human operator rather than a task of automated tools.

“This is a notable change in operation from earlier notable ransomware campaigns such as NotPetya or WannaCry,” the researchers say. “These actors are utilizing advanced knowledge of enterprise networking and security misconfigurations to achieve lateral movement and gain access to the victim’s environments.”