New ChaChi malware variant designed to target Linux systems

A newly discovered Linux version of the ChaChi remote-access trojan virus has been found in the wild in a rare example of Windows-based malware being adapted for the operating system.

ChaChi, which is written in the compiled GoLang compiled programming language designed by Google LLC, first appeared last year and was used in attacks against U.S. schools in June.

The name is derived from its two parts, ChaShell and Chisel. ChaShell is a “reverse shell over DNS” provider, while Chisel is a port-forwarding tool. The emergence of ChaChi was notable in itself because malware is typically compiled in C or C++.

The remote-access trojan is linked to the PYSA ransomware gang, which is also known as Mespinoza. The gang was noted in July as mostly flying under the radar while expanding its attacks. PYSA targets include education, manufacturing, retail, medical, government, high-tech, transportation and logistics, engineering and social services.

The Linux-based variant of ChaChi was discovered by researchers at security firm Lacework Inc. The researchers note that, unlike traditional information technology infrastructure, which is predominantly Windows-based, cloud infrastructure is heavily Linux-based at 80%-plus), making this one of the clearest signs yet that ransomware gangs and other attackers are turning their focus to cloud-based targets.

The Linux version of ChaChi is said to share characteristics with its Windows counterpart, most notably its core functionality, larger file size at 8 megabytes or more, and the use of a Go obfuscator called Gobfuscate. The malware leverages custom nameservers, which double as command-and-control centers to support the domain name server tunneling protocol.

Interestingly, two domains used by the Linux version resolved to Amazon IP address hosted by Amazon Web Services Inc. Global Accelerator hosts, although that may be linked to the domains being registered with Namecheap Inc.

Since ChaChi is written in Go, the researchers note, only a handful of antivirus products could detect it. Antivirus products are said to be less mature in detecting Linux malware. Combined with ChaChi being from a less mature malware family and written in Go, this malware is harder to detect.

“Many actors target multiple architectures to increase their footprint, so this may be the motive here and could represent an evolution in PYSA operations,” the researchers conclude. “While ransomware activity involving Linux servers and cloud infrastructure remains rare, it still poses a real threat to business operations and customer data.”

Photo: Bill McChesney/Flickr