Education Targeted by 'ChaChi' Remote Access Trojan
A previously unnamed remote access Trojan, or RAT, that had until
recently been targeting local governments in France, has set its
sights on the education sector in the United States. It’s being
deployed by PYSA/Mespinoza ransomware operators, according to new
research.
According to the BlackBerry
Threat Research and Intelligence SPEAR Team, the newly dubbed "ChaChi" RAT (named after two of its components, Chashell and Chisel)
is being used against both K–12 and higher education organizations
across 12 states in the United States, as well as in the UK.
Healthcare has also been a target.
“This may be due in part to healthcare and educational
organizations being more susceptible to cyberattacks as they are less
likely to have established security infrastructures or may lack the
resources to prioritize security,” according to the report.
“Healthcare and education organizations also host large volumes of
sensitive data, making them more valuable targets. It is not uncommon
for schools and hospitals to have legacy systems, poor email
filtering, no data backups, or unpatched systems in their
environments. This leaves their networks more vulnerable to exploits
and ransomware attacks.”
Researchers noted the nature of education environments makes them
particularly attractive to attackers. “It is particularly
concerning that attackers are focusing so heavily on education
organizations, as they are especially vulnerable. Higher education
environments tend to function like miniature cities, with a heavy
cultural emphasis on information-sharing. Not only do they host
significant quantities of business data; schools also host traffic
from students living on campus,” according to the report. “These
students often have little security awareness training, and they
might fall victim to suspicious emails, fail to recognize
questionable websites, or download malicious programs onto their
personal devices while connected. These factors contribute to these
industries being easy but valuable targets to threat actors and may
explain the sudden increase in PYSA actors attacking educational
institutions.”
ChaChi is written in Go (sometimes called Golang), a relatively new
language, which helps frustrate detection and prevention, according
to BlackBerry. It also uses gobfuscate, an obfuscation tool
previously seen in Ekans and BlackRota, that makes detection of code
more difficult. Its actual workings are complex but are laid out in
detail, with screen shots, on
BlackBerry’s site.
“ChaChi is a powerful tool in the hands of malicious actors who are
targeting industries notoriously susceptible to cyberattacks,” the
researchers concluded. “It has demonstrated itself as a capable
threat, and its use by PYSA ransomware operatives is a cause for
concern, especially at a time when ransomware is experiencing
alarming success through a string of high-profile attacks including
campaigns conducted by REvil, Avaddon and DarkSide. Organizations
ignoring this threat do so at their own risk, in a year of
one-after-another cybersecurity disasters.”
Complete
information about ChaChi, including a detailed analysis of its inner
workings and evolution, can be found on the BlackBerry site.