With the recent addition of Linux-based systems compatibility, the PYSA ransomware gang has broadened its assault surface. On VirusTotal, experts discovered a Linux version of Chachi. The PYSA ransomware group’s domains are used by ChaChi’s DNS tunneling backdoor, which is written in Golang.
On the 14th of June, ChaChi was submitted to VirusTotal for the first time with only one out of 61 antivirus detections. Lacework Labs uncovered the Linux version of ChaChi later in the month of August.
For the most part, Linux and Windows have the same capabilities, such as big file sizes (more than 8 MB) and the usage of Golang’s obfuscation tool Gobfuscate.
The Linux version has debugged output that includes DateTime data as one of its unique characteristics. DNS tunneling is accomplished by the use of bespoke nameservers that also function as C2 servers.
In addition to PYSA, a number of hackers have recently been seen attacking Linux-based devices and networks as well as Windows.
This encrypter was created by the BlackMatter ransomware organization in August to target VMware’s ESXi VM platform, which is widely used in businesses.
The HelloKitty and REvil ransomware families have also been detected to target Linux-based systems, notably ESXi servers with ELF encryptors, according to researchers.
Developing multi-platform malware is a typical practice among hackers looking to broaden their victim base. The PYSA ransomware group’s Linux edition has yet to be used in any operational assaults. This malware may, however, be utilized in attack efforts in the future. Keep an eye out!