[BreachExchange] Education Targeted by 'ChaChi' Remote Access Trojan

Fri Jun 25 11:58:54 EDT 2021

https://thejournal.com/articles/2021/06/24/education-targeted-by-chachi-remote-access-trojan.aspx

A previously unnamed remote access Trojan, or RAT, that had until recently
been targeting local governments in France, has set its sights on the
education sector in the United States. It’s being deployed by
PYSA/Mespinoza ransomware operators, according to new research.

According to the BlackBerry Threat Research and Intelligence SPEAR Team,
the newly dubbed "ChaChi" RAT (named after two of its components, Chashell
and Chisel) is being used against both K–12 and higher education
organizations across 12 states in the United States, as well as in the UK.
Healthcare has also been a target.

“This may be due in part to healthcare and educational organizations being
more susceptible to cyberattacks as they are less likely to have
established security infrastructures or may lack the resources to
prioritize security,” according to the report. “Healthcare and education
organizations also host large volumes of sensitive data, making them more
valuable targets. It is not uncommon for schools and hospitals to have
legacy systems, poor email filtering, no data backups, or unpatched systems
in their environments. This leaves their networks more vulnerable to
exploits and ransomware attacks.”

Researchers noted the nature of education environments makes them
particularly attractive to attackers. “It is particularly concerning that
attackers are focusing so heavily on education organizations, as they are
especially vulnerable. Higher education environments tend to function like
miniature cities, with a heavy cultural emphasis on information-sharing.
Not only do they host significant quantities of business data; schools also
host traffic from students living on campus,” according to the report.
“These students often have little security awareness training, and they
might fall victim to suspicious emails, fail to recognize questionable
websites, or download malicious programs onto their personal devices while
connected. These factors contribute to these industries being easy but
valuable targets to threat actors and may explain the sudden increase in
PYSA actors attacking educational institutions.”

ChaChi is written in Go (sometimes called Golang), a relatively new
language, which helps frustrate detection and prevention, according to
BlackBerry. It also uses gobfuscate, an obfuscation tool previously seen in
Ekans and BlackRota, that makes detection of code more difficult. Its
actual workings are complex but are laid out in detail, with screenshots,
on BlackBerry’s site.

“ChaChi is a powerful tool in the hands of malicious actors who are
targeting industries notoriously susceptible to cyberattacks,” the
researchers concluded. “It has demonstrated itself as a capable threat, and
its use by PYSA ransomware operatives is a cause for concern, especially at
a time when ransomware is experiencing alarming success through a string of
high-profile attacks including campaigns conducted by REvil, Avaddon and
DarkSide. Organizations ignoring this threat do so at their own risk, in a
year of one-after-another cybersecurity disasters.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210625/d277cc23/attachment.html>