May 28, 2023

PYSA ransomware gang has started using a Golang-based Trojan RAT called ChaChi as part of a new campaign against educational organizations which is named after two key components of the RAT, Chashell and Chisel.

ChaChi’s code was altered to include obfuscation and persistence in late March or early April. In latest ChaChi variants with the added DNS tunnelling and Port-Forwarding and Proxy functionality. There have been few noteworthy changes after that point.

The latest PYSA campaign uses PowerShell scripts to uninstall/stop/disable antivirus and other essential services additional to installing ChaChi. PYSA ransomware operators can frustrate detection and prevention efforts by analysts and tools unfamiliar with the language using Golang.

Chachi demonstrated itself as a capable threat, and its use by PYSA ransomware operatives is a cause for concern, especially at a time when ransomware is experiencing alarming success through a string of high-profile attacks including campaigns conducted by REvil, Avaddon and DarkSide.

Researchers warned that organizations ignoring this threat do so at their own risk, especially in a year of one-after-another cyber security disasters.

Tags:

Leave a Reply

You may have missed

CrowdStrike strategy dominates MDR Market

CrowdStrike strategy dominates MDR Market

May 28, 2023
TheCyberThrone Security Week In Review–May 27, 2023

TheCyberThrone Security Week In Review–May 27, 2023

May 28, 2023
Zyxel Patches Critical Buffer Overflow Vulnerability

Zyxel Patches Critical Buffer Overflow Vulnerability

May 27, 2023
Apria Data Breach affects 2 million customers

Apria Data Breach affects 2 million customers

May 27, 2023
CosmicEnergy Malware Shutting Electric grid

CosmicEnergy Malware Shutting Electric grid

May 27, 2023
Operation Magalenha from Brazil

Operation Magalenha from Brazil

May 27, 2023
%d bloggers like this: