Pysa Ransomware Gang Targets LinuxMalware Designed To Attack Linux Hosts With ChaChi Backdoor
The Pysa ransomware gang has created a Linux version of its malware designed to target Linux hosts with the ChaChi backdoor, using its Windows counterpart's characteristics, according to a report by cloud security firm Lacework.
What is believed to be the first Linux version of ChaChi, a Golang-based DNS tunnelling backdoor, was spotted on VirusTotal, Lacework reports, and it is configured to use domains associated with ransomware actors known as Pysa, aka Mespinoza Ransomware Gang.
"PYSA’s ChaChi infrastructure appears to have been largely dormant for the past several weeks, mostly parked and apparently no longer operational. We assess with moderate confidence this sample represents the PYSA actor expanding into targeting Linux hosts with ChaChi backdoor," the researchers note.
It was during August that researchers at Lacework Labs first observed a Linux variant of ChaChi, a customized variant of an open-source, Golang-based RAT that leverages DNS tunnelling for command and control communication.
"Many actors target multiple architectures to increase their footprint, so this may be the motive here and could represent an evolution in PYSA operations. It is currently unclear if the Linux variant was used in operations, however it was observed prior to the associated infrastructure going offline. The observed debug output, however, may indicate the specimen is still in the testing phase," the researchers state.
The Pysa gang is known for targeting manufacturers, schools and others, mainly in the U.S. and U.K., demanding ransom payments as high as $1.6 million, according to a report by Palo Alto Networks' Unit 42 threat intelligence team.
In a March alert, the FBI highlighted a surge in Pysa ransomware attacks targeting educational institutions in the U.S. and U.K.
"The unidentified cyber actors have specifically targeted higher education, K-12 schools and seminaries," the FBI wrote. "The attackers using PYSA tend to follow the pattern of entering a network, removing data, encrypting the system and then threatening to make the stolen data public if the ransom is not paid," the FBI adds.
The specimen was observed recently, but the researchers state that it was uploaded to VirusTotal on June 14, 2021, and only had 1/61 AV detections at the time. Following publication of the new variant in late August, this has increased and as of Friday, it’s had a 20/61 detection rate.
The new Linux variant is also reported to share characteristics with its Windows counterpart, particularly its core functionality, the large file size (8MB +) and the use of Golang obfuscator Gobfuscate.
"A distinguishing characteristic of the Linux version was the presence of debug output containing date time data. ChaChi also leverages custom nameservers that double as C2s to support the DNS tunnelling protocol," the researchers say, adding that the C2 hosts can be identified with passive DNS analysis of the name server domains.
Analysis shows that the majority of ChaChi infrastructure has been parked or offline since June 2021. The two exceptions to this appear to be domains ns1.ccenter.tech and ns2.spm.best. The two domains from the Linux variant identified as sbvjhs.xyz and sbvjhs.club resolved to Amazon IP address 188.8.131.52, which is an AWS Global accelerator host and has several AV detections on VirusTotal.
"Our analysis indicates this is most likely used by Namecheap for domain parking purposes and should not be used as a ChaChi IOC," the researchers note.
Pysa has been active since October 2019 and is tied to several earlier attacks internationally (see: Ransomware 2020: A Year of Many Changes).
In January 2021, the hackers behind Pysa published data stolen from Hackney Council, a local U.K. government body, after hacking its network in October 2020 and rendering its IT systems inoperable.
In March 2020, France’s Computer Emergency Response Team said Pysa was targeting local governments in France for ransomware attacks.
A report last month by security firm Digital Shadows found that Pysa was among the latest ransomware strains to adopt the hack-and-leak model (see: Ransomware Newcomers Include Pay2Key, RansomEXX, Everest).