14 DAY TRIAL // BlackBerry Threat Research and Intelligence revealed Wednesday that a new ChaChi Trojan is being used as a critical component in executing ransomware operations against government organizations and U.S. schools, says ZDNet.
The original version of the Remote Access Trojan (RAT), identified in the first half of 2020, was linked to cyberattacks against French local governments, as listed in the Compromise Indicators (IoC) report from CERT France. The FBI has previously warned of a considerate rise in PYSA attacks on schools, both in the United Kingdom and the United States.
The new ChaChi has evolved from the earlier variant, that had drawbacks such as poor obfuscation and low-level capabilities. The new malware type is capable of performing traditional RAT actions such as data exfiltration, backdoor creation, and credential dumping from the Windows Local Security Authority Subsystem Service (LSASS).
The new ChaChi version is more sophisticated and dangerous
BlackBerry researchers believe the Trojan was created by cybercriminal group PYSA/Mespinoza, that has been active since 2018. This organization is known for initiating ransomware actions and deploying the extension PYSA.
However, the team claims that PYSA focuses on more financially capable targets with large wallets capable of paying hefty sums when a ransom is demanded. Researchers pointed out that "This is a notable change in operation from earlier notable ransomware campaigns such as NotPetya or WannaCry". For example, these attacks are targeted and often directed by a human operator. Most ransomware attacks rely on automated tools for each step of their operation.
The ransomware field is evolving quickly, as "These actors are utilizing advanced knowledge of enterprise networking and security misconfigurations to achieve lateral movement and gain access to the victim's environments". The trend has been noticed with other ransomware, such as WannaCry or NotPetya,, for instance.