New GoLang Trojan, ChaChi used in attacks against US schools

In the cyberattacks targeted on government agencies and US schools, a new Trojan developed with the Go programming language was employed.


The malware, known as ChaChi, is also being used to execute ransomware attacks.




ChaChi is written in GoLang (Go), a programming language popular with threat actors because of its flexibility and ease of cross-platform code compilation.




Over the last two years, there has been a 2,000 percent growth in Go-based malware samples, according to Intezer.


Since this is a new phenomenon, many core tools for the analytic process are still catching up, according to the BlackBerry Threat Research and Intelligence research team.


This could make Go a more difficult language to interpret.


ChaChi was spotted in the first half of 2020.


The first edition of the Remote Access Trojan (RAT) has been linked to cyberattacks against French local government officials, but now a considerably more sophisticated variation has emerged.


The most recent samples have been linked to attacks against significant US schools and educational institutions.


When compared to ChaChi’s first variant, which had poor obfuscation and low-level capabilities, the malware can now perform typical RAT activities like backdoor creation and data exfiltration, as well as credential dumping via the Windows Local Security Authority Subsystem Service (LSASS), network enumeration, DNS tunneling, SOCKS proxy functionality, service creation, and latera.


For obfuscation, the malware uses gobfuscate, a publicly accessible GoLang tool.


ChaChi gets its name from two off-the-shelf tools used by the malware during attacks and adapted for these purposes: Chashell and Chisel.


Chisel is a port-forwarding system, while Chashell is a reverse shell over DNS provider.


PYSA/Mespinoza, a threat group notorious for initiating ransomware attacks and using the extension, is believed to be behind the Trojan, according to BlackBerry experts.


PYSA stands for “Protect Your System Amigo” and is used when victim data are encrypted.


PYSA usually concentrates on “big game hunting” and targets companies that pay high ransoms.


Instead of being a chore for automated tools, the attacks are targeted and directed by a human operator.


Also read:


ADATA ransomware attack: suffers massive data leak


South Korea’s Nuclear Research agency, KAERI hacked using VPN flaw


Popular Android antiviruses fail to detect malicious apps: DroidMorph