[MART] - Daily Diary #291 - Pysa Gang New Attacks Using ChaChi Ransomware

CTAS-MAT ctas-mat at appgate.com
Thu Jun 24 20:38:38 UTC 2021

I hope everyone is doing well!

Below is the entry for today.

06/24/2021 - Diary entry #291:

This week a new version of ChaChi RAT was disclosed, being used by the cybercrime group Pysa. ChaChi was first discovered late 2020, but had few capabilities and poor code obfuscation. This new variant contains significant improvements, and it's able to create a backdoor in the system, allowing an attacker to use the malware for data exfiltration, credential dumping, network enumeration, lateral movement, and to deploy other malware like Pysa itself. This new code is obfuscated using gobfuscate, as a way to make analysis more difficult. Recently Pysa was using ChaChi to target education institutions in the US and in the UK.

In our Daily Diary #186 we discussed the new trend of Golang malware. Although ChaChi is not a new threat, this incident shows an effort in cybercrime to develop malware using this technology. Although Pysa focused on Windows machines, Golang allows easy cross-compilation for Linux and MacOS, so companies and Antivirus solutions must be prepared for multi-platform malware in the near future.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Duarte Domingues
Security Researcher

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210624/779a4678/attachment.html>

More information about the MART mailing list