Education Targeted by 'ChaChi' Remote Access Trojan

A previously unnamed remote access Trojan, or RAT, that had until recently been targeting local governments in France, has set its sights on the education sector in the United States. It’s being deployed by PYSA/Mespinoza ransomware operators, according to new research.

According to the BlackBerry Threat Research and Intelligence SPEAR Team, the newly dubbed "ChaChi" RAT (named after two of its components, Chashell and Chisel) is being used against both K–12 and higher education organizations across 12 states in the United States, as well as in the UK. Healthcare has also been a target.

“This may be due in part to healthcare and educational organizations being more susceptible to cyberattacks as they are less likely to have established security infrastructures or may lack the resources to prioritize security,” according to the report. “Healthcare and education organizations also host large volumes of sensitive data, making them more valuable targets. It is not uncommon for schools and hospitals to have legacy systems, poor email filtering, no data backups, or unpatched systems in their environments. This leaves their networks more vulnerable to exploits and ransomware attacks.”

Researchers noted the nature of education environments makes them particularly attractive to attackers. “It is particularly concerning that attackers are focusing so heavily on education organizations, as they are especially vulnerable. Higher education environments tend to function like miniature cities, with a heavy cultural emphasis on information-sharing. Not only do they host significant quantities of business data; schools also host traffic from students living on campus,” according to the report. “These students often have little security awareness training, and they might fall victim to suspicious emails, fail to recognize questionable websites, or download malicious programs onto their personal devices while connected. These factors contribute to these industries being easy but valuable targets to threat actors and may explain the sudden increase in PYSA actors attacking educational institutions.”

ChaChi is written in Go (sometimes called Golang), a relatively new language, which helps frustrate detection and prevention, according to BlackBerry. It also uses gobfuscate, an obfuscation tool previously seen in Ekans and BlackRota, that makes detection of code more difficult. Its actual workings are complex but are laid out in detail, with screen shots, on BlackBerry’s site.

“ChaChi is a powerful tool in the hands of malicious actors who are targeting industries notoriously susceptible to cyberattacks,” the researchers concluded. “It has demonstrated itself as a capable threat, and its use by PYSA ransomware operatives is a cause for concern, especially at a time when ransomware is experiencing alarming success through a string of high-profile attacks including campaigns conducted by REvil, Avaddon and DarkSide. Organizations ignoring this threat do so at their own risk, in a year of one-after-another cybersecurity disasters.”

Complete information about ChaChi, including a detailed analysis of its inner workings and evolution, can be found on the BlackBerry site.

About the Author

David Nagel is the former editorial director of 1105 Media's Education Group and editor-in-chief of THE Journal, STEAM Universe, and Spaces4Learning. A 30-year publishing veteran, Nagel has led or contributed to dozens of technology, art, marketing, media, and business publications.

He can be reached at [email protected]. You can also connect with him on LinkedIn at https://www.linkedin.com/in/davidrnagel/ .


Featured