Research published Wednesday by BlackBerry details a recently identified trojan being used by a ransomware gang that’s increasingly turned its sights on K-12 school districts and higher education institutions in the United States.
The remote access trojan, or RAT, which BlackBerry researchers dubbed “ChaChi,” a portmanteau of two hacking tools it uses, has been used as a backdoor to networks targeted by a ransomware called PYSA, which the FBI warned in March is behind a rising wave of attacks on education, health and corporate networks.
According to BlackBerry, an early form of ChaChi was first spotted in March 2020, infiltrating local governments in France. But it was later upgraded with new capabilities, including code obfuscation and DNS tunneling, an exploit that allows an attacker to bypass a victim network’s firewalls and other detection methods. The trojan is written in Golang, a relatively new programming language that fewer technologists are familiar with, making it more difficult to analyze.