Blackberry detects Remote Access Trojan (RAT) ChaChi

Sicherheit (Pexels, allgemeine Nutzung)[German]Security experts from BlackBerry's Threat Research and Intelligence team, have discovered the ChaChi remote access Trojan (RAT). The Trojan, which specializes in Windows systems, was developed by the hackers of the PYSA ransomware and attacks targets worldwide. In recent months, it has targeted educational institutions. The hackers, who have been attacking targets worldwide with ChaChi since summer 2020, operate from IP addresses in Germany and Romania.


ChaChi  is a specially developed Trojan written in the fairly new programming language "Go", also known as "Golang". This makes it difficult to analyze the malware, as many core tools for the analysis process are still being developed. The name ChaChi comes from two key components of the RAT, Chashell and Chisel. These are tools used by malware operators to perform their intended actions, rather than creating custom tools to achieve this functionality.

The first versions of PYSA have been circulating since the end of 2018. The name of this threat comes from the file extension (.PYSA) used by early variants to rename encrypted files and the ransom note that warned victims to "protect your system, amigo."

BlackBerry experts have conducted numerous investigations and responded to incidents of the PYSA ransomware that included ChaChi. Key findings from the PYSA campaign include:

    • Suspension of defense: PowerShell scripts to uninstall/stop/disable antivirus software and firewall.
    • Credential access: Dumping of credentials from LSASS without Mimikatz (comsvcs.dll).
    • Detection: Internal network enumeration with Advanced Port Scanner.
    • Persistence: ChaChi is installed as a service.
    • Lateral movement: RDP and PsExec.
    • Exfiltration: Probably via ChaChi tunnel (not observed yet).
    • Command and Control (C2): ChaChi RAT.

More information can be found in this BlackBerry article published by the security researchers.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *