New GoLang Trojan used in attacks against US schools


A new Trojan written in the Go programming language was used in attacks against government agencies to US schools.

The malware that has been dubbed ChaChi, is also being used as a key component in launching ransomware attacks. 

ChaChi is written in GoLang (Go), a programming language which is now largely used by threat actors due to its versatility and the ease of cross-platform code compilation.  

According to Intezer, there has been roughly a 2,000% increase in Go-based malware samples over the past few years. 

According to the research team from BlackBerry Threat Research and Intelligence, as this is a new phenomenon, many core tools to the analysis process are still catching up. This could make Go a more challenging language to analyze.

ChaChi was spotted in the first half of 2020, and the original variant of the Remote Access Trojan (RAT) has been linked to cyberattacks against French local government authorities, but now, a far more sophisticated variant has appeared. 

The latest samples available have been connected to attacks launched against large US schools and education organizations. 

When compared to the first variant of ChaChi, which had poor obfuscation and low-level capabilities, the malware is now able to perform typical RAT activities, including backdoor creation and data exfiltration, as well as credential dumping via the Windows Local Security Authority Subsystem Service (LSASS), network enumeration, DNS tunneling, SOCKS proxy functionality, service creation, and lateral movement across networks.

The malware uses a publicly accessible GoLang tool, gobfuscate, for obfuscation purposes. 

ChaChi is named so due to Chashell and Chisel, two off-the-shelf tools used by the malware during attacks and modified for these purposes. Chashell is a reverse shell over DNS provider, while Chisel is a port-forwarding system.

BlackBerry researchers believe that the Trojan is the work of PYSA/Mespinoza, a threat group known for launching ransomware campaigns and using the extension. PYSA when victim files have been encrypted, standing for “Protect Your System Amigo.”

Usually PYSA focuses on “big game hunting” and picks their targets who can pay large ransoms. The attacks are targeted and are controlled by a human operator rather than a task of automated tools.


Please enter your comment!
Please enter your name here