ChaChi Trojan

ChaChi is a new RAT (Remote Access Trojan) threat that was discovered by malware researchers. The malware is written in GoLang entirely, a recent trend among cybercriminals who show a noticeable shift from the C and C++ languages in search of more obscure and harder to be detected ones. GoLang appears to be the preferred choice with an approximately 2,000% increase in the number of malware threats using the language in just a couple of years. 

The naming of the threat was derived from two off-the-shelf tools - Chashell and Chisel. The ChaChai malware uses the modified versions of the two tools as part of its operation. Chashell is described as a reverse shell over DNS provider, while Chisel acts as a port-forwarding system. 

The Evolution of the ChaChi Trojan

The initial samples of the threat detected in the first half of 2020 showed little sophistication, had basic obfuscation, and limited capabilities. Back then ChaChi was leveraged in a series of attacks against local government authorities in France. Since then, however, the threat has undergone rapid development and its current versions are far more threatening. 

ChaChi now possesses full RAT functionalities - it can establish a backdoor channel to the compromised system, exfiltration of sensitive data, accessing credentials via the Windows Local Security Authority Subsystem Service (LSASS), and moving within the victim's network laterally. For obfuscation, the threat employs the publicly available tool gobfuscate that is a common choice for GoLang obfuscation. 

The targets of the RAT also have undergone a drastic change. ChaChi is now being used in ransomware operations targeting large US schools and educational organizations. 

The new attack behavior supports the conjecture that ChaChi was developed by the PYSA/Mespinoza hacker group. PYSA has been involved in several ransomware campaigns and the FBI has issued a warning about a potential increase in the group's attacks against schools located in the UK and US previously.