UPDATED 09:00 EDT / SEPTEMBER 09 2021

SECURITY

New ChaChi malware variant designed to target Linux systems

A newly discovered Linux version of the ChaChi remote-access trojan virus has been found in the wild in a rare example of Windows-based malware being adapted for the operating system.

ChaChi, which is written in the compiled GoLang compiled programming language designed by Google LLC, first appeared last year and was used in attacks against U.S. schools in June.

The name is derived from its two parts, ChaShell and Chisel. ChaShell is a “reverse shell over DNS” provider, while Chisel is a port-forwarding tool. The emergence of ChaChi was notable in itself because malware is typically compiled in C or C++.

The remote-access trojan is linked to the PYSA ransomware gang, which is also known as Mespinoza. The gang was noted in July as mostly flying under the radar while expanding its attacks. PYSA targets include education, manufacturing, retail, medical, government, high-tech, transportation and logistics, engineering and social services.

The Linux-based variant of ChaChi was discovered by researchers at security firm Lacework Inc. The researchers note that, unlike traditional information technology infrastructure, which is predominantly Windows-based, cloud infrastructure is heavily Linux-based at 80%-plus), making this one of the clearest signs yet that ransomware gangs and other attackers are turning their focus to cloud-based targets.

The Linux version of ChaChi is said to share characteristics with its Windows counterpart, most notably its core functionality, larger file size at 8 megabytes or more, and the use of a Go obfuscator called Gobfuscate. The malware leverages custom nameservers, which double as command-and-control centers to support the domain name server tunneling protocol.

Interestingly, two domains used by the Linux version resolved to Amazon IP address hosted by Amazon Web Services Inc. Global Accelerator hosts, although that may be linked to the domains being registered with Namecheap Inc.

Since ChaChi is written in Go, the researchers note, only a handful of antivirus products could detect it. Antivirus products are said to be less mature in detecting Linux malware. Combined with ChaChi being from a less mature malware family and written in Go, this malware is harder to detect.

“Many actors target multiple architectures to increase their footprint, so this may be the motive here and could represent an evolution in PYSA operations,” the researchers conclude. “While ransomware activity involving Linux servers and cloud infrastructure remains rare, it still poses a real threat to business operations and customer data.”

Photo: Bill McChesney/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

We are holding our third cloud startup showcase on Sept. 22. Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.