Education Sector Targeted by 'ChaChi' Remote Access Trojan

New research has revealed that a previously unnamed remote access Trojan, or RAT, which had until recently been targeting local governments in France, is setting its sights on education institutions in the United States. It’s being deployed by PYSA/Mespinoza ransomware operators.

According to the BlackBerry Threat Research and Intelligence SPEAR Team, the newly dubbed "ChaChi" RAT (named after two of its components, Chashell and Chisel) is being used against both K–12 and higher education organizations across 12 states in the United States, as well as in the UK. Healthcare has also been a target.

“This may be due in part to healthcare and educational organizations being more susceptible to cyberattacks as they are less likely to have established security infrastructures or may lack the resources to prioritize security,” according to the report. “Healthcare and education organizations also host large volumes of sensitive data, making them more valuable targets. It is not uncommon for schools and hospitals to have legacy systems, poor email filtering, no data backups, or unpatched systems in their environments. This leaves their networks more vulnerable to exploits and ransomware attacks.”

Researchers noted the nature of education environments makes them particularly attractive to attackers. “It is particularly concerning that attackers are focusing so heavily on education organizations, as they are especially vulnerable. Higher education environments tend to function like miniature cities, with a heavy cultural emphasis on information-sharing. Not only do they host significant quantities of business data; schools also host traffic from students living on campus,” according to the report. “These students often have little security awareness training, and they might fall victim to suspicious emails, fail to recognize questionable websites, or download malicious programs onto their personal devices while connected. These factors contribute to these industries being easy but valuable targets to threat actors and may explain the sudden increase in PYSA actors attacking educational institutions.”

ChaChi is written in Go (sometimes called Golang), a relatively new language, which helps frustrate detection and prevention, according to BlackBerry. It also uses gobfuscate, an obfuscation tool previously seen in Ekans and BlackRota, that makes detection of code more difficult. Its actual workings are complex but are laid out in detail, with screen shots, on BlackBerry’s site.

“ChaChi is a powerful tool in the hands of malicious actors who are targeting industries notoriously susceptible to cyberattacks,” the researchers concluded. “It has demonstrated itself as a capable threat, and its use by PYSA ransomware operatives is a cause for concern, especially at a time when ransomware is experiencing alarming success through a string of high-profile attacks including campaigns conducted by REvil, Avaddon and DarkSide. Organizations ignoring this threat do so at their own risk, in a year of one-after-another cybersecurity disasters.”

For more information, including a detailed analysis of ChaChi's inner workings and evolution, visit the BlackBerry site.

About the Author

David Nagel is the former editorial director of 1105 Media's Education Group and editor-in-chief of THE Journal, STEAM Universe, and Spaces4Learning. A 30-year publishing veteran, Nagel has led or contributed to dozens of technology, art, marketing, media, and business publications.

He can be reached at [email protected]. You can also connect with him on LinkedIn at https://www.linkedin.com/in/davidrnagel/ .


Featured

  • glowing blue nodes connected by thin lines in an abstract network on a dark gray to black gradient background

    Report: Generative AI Taking Over SD-WAN Management

    In a few years, nearly three quarters of network operators will use generative AI for SD-WAN management, according to a new report from research firm Gartner.

  • abstract pattern with interconnected blue nodes and lines forming neural network shapes, overlaid with semi-transparent bars and circular data points

    Data, AI Lead Educause Top 10 List for 2025

    Educause recently released its annual Top 10 list of the most important technology issues facing colleges and universities in the coming year, with a familiar trio leading the bunch: data, analytics, and AI. But the report presents these critical technologies through a new lens: restoring trust in higher education.

  • abstract image representing AI tools for reading and writing

    McGraw Hill Introduces 2 Gen AI Learning Tools

    Global education company McGraw Hill has added two new generative AI tools to help personalize learning experiences for both K–12 and higher ed students, according to a news release.

  • abstract image of fragmented, floating geometric shapes with holographic lock icons and encrypted code, set against a dark, glitchy background with intersecting circuits and swirling light trails

    Education Sector a Top Target for Mobile Malware Attacks

    Mobile and IoT/OT cyber threats continue to grow in number and complexity, becoming more targeted and sophisticated, according to a new report from Zscaler.