Education Sector Targeted by 'ChaChi' Remote Access Trojan

• By David Nagel
• 06/24/21

New research has revealed that a previously unnamed remote access Trojan, or RAT, which had until recently been targeting local governments in France, is setting its sights on education institutions in the United States. It’s being deployed by PYSA/Mespinoza ransomware operators.

According to the BlackBerry Threat Research and Intelligence SPEAR Team, the newly dubbed "ChaChi" RAT (named after two of its components, Chashell and Chisel) is being used against both K–12 and higher education organizations across 12 states in the United States, as well as in the UK. Healthcare has also been a target.

“This may be due in part to healthcare and educational organizations being more susceptible to cyberattacks as they are less likely to have established security infrastructures or may lack the resources to prioritize security,” according to the report. “Healthcare and education organizations also host large volumes of sensitive data, making them more valuable targets. It is not uncommon for schools and hospitals to have legacy systems, poor email filtering, no data backups, or unpatched systems in their environments. This leaves their networks more vulnerable to exploits and ransomware attacks.”

Researchers noted the nature of education environments makes them particularly attractive to attackers. “It is particularly concerning that attackers are focusing so heavily on education organizations, as they are especially vulnerable. Higher education environments tend to function like miniature cities, with a heavy cultural emphasis on information-sharing. Not only do they host significant quantities of business data; schools also host traffic from students living on campus,” according to the report. “These students often have little security awareness training, and they might fall victim to suspicious emails, fail to recognize questionable websites, or download malicious programs onto their personal devices while connected. These factors contribute to these industries being easy but valuable targets to threat actors and may explain the sudden increase in PYSA actors attacking educational institutions.”

ChaChi is written in Go (sometimes called Golang), a relatively new language, which helps frustrate detection and prevention, according to BlackBerry. It also uses gobfuscate, an obfuscation tool previously seen in Ekans and BlackRota, that makes detection of code more difficult. Its actual workings are complex but are laid out in detail, with screen shots, on BlackBerry’s site.

“ChaChi is a powerful tool in the hands of malicious actors who are targeting industries notoriously susceptible to cyberattacks,” the researchers concluded. “It has demonstrated itself as a capable threat, and its use by PYSA ransomware operatives is a cause for concern, especially at a time when ransomware is experiencing alarming success through a string of high-profile attacks including campaigns conducted by REvil, Avaddon and DarkSide. Organizations ignoring this threat do so at their own risk, in a year of one-after-another cybersecurity disasters.”

For more information, including a detailed analysis of ChaChi's inner workings and evolution, visit the BlackBerry site.