Remote Access Trojan now targeting schools with ransomware

Dubbed ChaChi by researchers at BlackBerry, the RAT has recently shifted its focus from government agencies to schools in the US.

Trojan horse

Image: IvonneW, Getty Images/iStockPhoto

A Remote Access Trojan is targeting schools and universities with ransomware attacks. Christened ChaChi by the BlackBerry Threat Research and Intelligence SPEAR team, the RAT is being used by operators of the PYSA ransomware, according to a report released by BlackBerry on Wednesday. Specifically, ChaChi has been discovered in data breaches of K-12 schools and higher education facilities in the U.S. as well as the U.K.

SEE: Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic)  

More about cybersecurity

ChaChi is designed to exfiltrate data, steal credentials and deploy malware to compromise its victims. The RAT gains a foothold in an organization through a series of steps.

PowerShell scripts are used to uninstall or disable antivirus and other security services. Account credentials are captured by dumping the contents of memory from the Windows Local Security Authority Subsystem Service. Port scanning is used to look for vulnerable or open ports. ChaChi is then installed as a service.

The attackers gain lateral movement throughout the network using such tools as Remote Desktop Protocol and PsExec. Data is likely exfiltrated through a tunnel created by ChaChi. The RAT then communicates with the Command and Control center of the attackers.

Initially spotted during the first half of 2020 without much hubbub, the first variant of ChaChi was used to attack networks of government agencies in France and was considered an indicator of compromise by CERT France, BlackBerry said. PYSA and ChaChi then shifted the targets to healthcare organizations and private companies before focusing on educational institutions starting in early 2021

ChaChi is written in Go, also known as Golang, a fairly new programming language. Because Go is still fresh, analyzing the code can be difficult, creating challenges for security researchers.

Cybercriminals often target schools because they know they’re ripe for attack. Schools may lack the necessary budgets for robust security protection. They can’t necessarily exert the tight security controls adopted by large enterprises. And they have to contend with students and other people connecting to their networks from external devices that may not be secure.

“Cybersecurity attacks have ramped up in volume and ferocity since the COVID-19 pandemic began a year ago,” BlackBerry VP of Research and Intelligence Eric Milam told TechRepublic. “This includes ChaChi and PYSA switching their focus to take advantage of the COVID pandemic to attack educational institutions. Many universities are forced to act as an ISP for their student body, which adds a layer of complexity since they are restricted on what limits and monitoring options can be put in place compared to other organizations.”

Recommendations

To protect schools and universities from cyberattack, Milam offers several pieces of advice.

  • User training. Conduct user awareness training around phishing attacks and suspicious links and attachments in emails to fight the threat on a human level.
  • Update your systems. On a technological level, be sure to patch your operating systems and applications and implement endpoint protection technology.
  • Monitor and audit. For more sensitive areas of a university environment, set up auditing, logging and monitoring of endpoint and network activity. Also, monitor the use of critical account credentials.
  • Check for weaknesses. Running vulnerability assessments and detailed penetration testing can help track down critical vulnerabilities that should be mitigated.

“The main focus here on how vital it is to secure an environment at an appropriate level and to put in the right checks and balances to identify any anomalies,” Milam said.

“If you’ve built a secure internal infrastructure, gaining access to other critical resources is prevented, even if certain areas of the network need to be allowed relatively unfettered access,” Milam added. “While it can be difficult to combat a breach at the point of access, organizations can take steps to make systems much more difficult to compromise and more defendable when attacked, as well as resilient and recoverable when attacks are successful.”

Also see