Pysa Ransomware Gang Launches Support for Linux


Cybercrime, Cybercrime as-a-service, Fraud Management & Cybercrime

Malware designed to attack Linux hosts with the ChaChi backdoor

Prajeet Nair (@prajeetspeaks) •
September 11, 2021

The Pysa ransomware gang has created a Linux version of its malware designed to target Linux hosts with the ChaChi backdoor, using the characteristics of its Windows counterpart, according to a report from cloud security company Lacework Labs.

See also: Top 50 Security Threats

What is believed to be the first Linux release of ChaChi, a Golang-based DNS tunneling backdoor, has been spotted on reports from VirusTotal Lacework Labs, and it is configured to use domains associated with known ransomware actors. under the name of PYSA, aka Menipoza Ransomware Gang.

“PYSA’s ChaChi infrastructure appears to have been largely dormant over the past few weeks, mostly parked and apparently more operational. We rate with moderate confidence this sample represents the PYSA player growing to target Linux hosts with the ChaChi backdoor, ”the researchers note.

It was in August that researchers at Lacework Labs first observed a Linux variant of ChaChi, a custom variant of an open source Golang-based RAT that exploits DNS tunneling for command and control communication.

“Many players are targeting multiple architectures to increase their footprint, so this may be the motive here and could represent an evolution in PYSA operations. It is currently unclear whether the Linux variant has been used in operations, but it has observed before the associated infrastructure passes The observed debug output, however, may indicate that the specimen is still in the testing phase, ”the researchers say.

FBI Alert

The PYSA gang is known to target manufacturers, schools and others, primarily in the US and UK, demanding ransom payments of up to $ 1.6 million, according to a report from the team at threat intelligence from Unit 42 of Palo Alto Networks.

In a March alert, the FBI highlighted an increase in PYSA ransomware attacks targeting educational institutions in the United States and the United Kingdom

“Unidentified cyber actors have specifically targeted higher education, K-12 schools and seminars,” the FBI wrote. “Attackers using PYSA tend to enter a network, delete data, encrypt the system, and then threaten to release the stolen data public if the ransom is not paid,” the FBI added.

Technical details

The specimen was observed recently, but researchers say it was uploaded to VirusTotal on June 14, 2021, and only had 1/61 AV detections at the time. Following the release of the new variant at the end of August, that number increased and, as of September 10, the detection rate was 20/61.

The new Linux variant would also share features with its Windows counterpart, especially its basic functionality, large file size (8MB +), and use of the Golang Gobfuscate obfuscator.

“A distinguishing feature of the Linux version was the presence of debug output containing date and time data. ChaChi also operates custom name servers that also serve as C2 to support the DNS tunneling protocol.” , say the researchers, adding that C2 hosts can be identified with DNS scans of name server domains.

Analysis shows that the majority of the ChaChi infrastructure has been parked or offline since June 2021. The two exceptions to this rule appear to be the and domains. The two Linux variant domains identified as and resolved to Amazon IP address, which is an AWS Global Accelerator host and has multiple AV detections on VirusTotal.

“Our analysis indicates that this is most likely used by Namecheap for domain parking purposes and should not be used as ChaChi IOC,” the researchers note.

PYSA Ransomware

Pysa has been active since October 2019 and is linked to several previous attacks internationally (see: Ransomware 2020: a year of many changes).

In January 2021, the hackers behind Pysa released stolen data to Hackney Council, a local government body in the United Kingdom, after they hacked its network in October 2020 and rendered its computer systems inoperative.

In March 2020, the French computer emergency response team said Pysa was targeting local governments in France for ransomware attacks.

A report released last month by security firm Digital Shadows revealed that Pysa was among the latest strains of ransomware to adopt the hack-and-leak model (see: Newcomers to ransomware include Pay2Key, RansomEXX, Everest).


Leave A Reply