A New GoLang Trojan ChaChi Used in Attacks Against US Schools


A new Trojan written in the Go programming language has shifted its focus from government agencies to schools in the United States. 

The malware, termed ChaChi, is also being utilized as a critical component in initiating ransomware assaults, according to a research team from BlackBerry Threat Research and Intelligence. ChaChi is built in GoLang (Go), a programming language used with threat actors as a replacement for C and C++ because of its flexibility and simplicity of cross-platform code compilation. Over the last two years, there has been a 2,000 percent growth in Go-based malware strains, according to Intezer. 

ChaChi was spotted in the first half of 2020 and the original variant of the Remote Access Trojan (RAT) has been linked to cyberattacks against French local government bodies, as documented by CERT France in an Indicators of Compromise (IoC) report (.PDF); nevertheless, a considerably more sophisticated variation has since emerged. 

The most recent samples have been linked to attacks against significant US schools and educational institutions. In comparative analysis to ChaChi's first variant, which had inadequate obfuscation and low-level capabilities, the malware can now conduct typical RAT operations such as backdoor creation and data exfiltration, as well as credential dumping via the Windows Local Security Authority Subsystem Service (LSASS), network enumeration, DNS tunneling, SOCKS proxy functionality, service creation, and lateral movements across networks. 

For obfuscation, the malware makes use of gobfuscate, a publicly accessible GoLang utility. ChaChi gets its name from two off-the-shelf tools used by the malware during attacks: Chashell and Chisel. 

The Trojan, according to BlackBerry experts, is the product of PYSA/Mespinoza, a threat group that has been active since 2018. This group is renowned for employing the extension to launch ransomware operations. 

PYSA stands for "Protect Your System Amigo" and is used when victim data are encrypted. PYSA attacks against both UK and US schools have been on the rise, according to the FBI. PYSA, according to the group, emphasizes on "big game hunting," or choosing wealthy targets with large wallets capable of paying large ransoms. Rather than being a work for automated technologies, these attacks are targeted and often handled by a human operator. 

The researchers stated,"This is a notable change in operation from earlier notable ransomware campaigns such as NotPetya or WannaCry. These actors are utilizing advanced knowledge of enterprise networking and security misconfigurations to achieve lateral movement and gain access to the victim's environments."