The Chachi trojan has been considered as a new RAT i.e Remote Access Trojan threats which are discovered by malware researchers. The malware is written in Golang entirely. However, GoLang appears to be more efficient as it has the power of a 2000% increase in the number of malware threats using the language in the past couple of years. Hence, this trojan has been derived from two of the shelf tools – Chashell and Chisel. Although ChaChi malware uses the modified version of the two tools as part of its performance. Well, Chashell relates as a reverse shell, while it is a post-forwarding message.
The very first sample of the threats is being detected in the first half of 2020. Whereas it shows little experience and had basic obfuscation and has limited capabilities. Some years back ChaChi Trojan has been attacked against the local government authorities in France. Since then this threat was undergone rapid development and its current version is far more threatening.
These days ChaChi was full Possesses with RAT i.e Remote Access Trojan functionalities – its function is to establish the backdoor channel to compromise any system with exfiltration of sensitive and confidential data, accessing credentials via the Windows Local Security Authority Subsystem Service (LSASS) and hence moving within the victim’s network parallelly.
For obfuscation, this threat employs the publicly available tool gobfuscate that seems to be a common choice for GoLang obfuscation. The new target of the remote access trojan also has gone through a drastic change. Although ChaChi is now being used in ransomware operations though it also started targeting large US schools and educational organizations.
The very new attack behavior supports speculation that the ChaChi was developed by the PYSA/ Mespinoza hacker group. PYSA has also been involved in many ransomware campaigns and the US official of the FBI has issued a warning letter about a potential increase in the group’s attack on schools located in UK and US.