Business

PYSA Ransomware Gang adds Linux Support

Published

on

Key Take Aways

  • The first Linux version of ChaChi, a Golang based DNS tunneling backdoor, was recently observed on VirusTotal.
  • The malware is configured to use domains associated with ransomware actors known as PYSA, aka Menipoza Ransomware Gang.
  • PYSA’s ChaChi infrastructure appears to have been largely dormant for the past several weeks, mostly parked and apparently no longer operational.
  • We assess with moderate confidence this sample represents the PYSA actor expanding into targeting Linux hosts with ChaChi backdoor.

Background

Ransomware is quickly expanding into Linux and Cloud networks as threat actors evolve their campaigns. For example, in recent weeks the BlackMatter ransomware gangHelloKitty ransomware, and REvil ransomware were first observed expanding into Linux targeting through ESXi servers with ELF encryptors. Ransomware shifts to Linux targeting is an important trend to observe. Threat actors continue to evolve their campaigns by targeting Linux and cloud-centric networks.

Analysis

In August of 2021, Lacework Labs identified a Linux variant (MD5: 14abd57e8eb06191f12c0d84f9c1470b) of ChaChi. ChaChi refers to a customized variant of an open-source Golang based RAT that leverages DNS tunneling for C2 communication. The specimen was configured with domains that were reported by Palo Alto Networks in July:

  • sbvjhs.xyz
  • sbvjhs.club
  • firefox-search.xyz

While the specimen was recently observed, it was uploaded to VirusTotal June 14th 2021, and only had 1/61 AV detections at the time. Following our tweet in late August, and as of this writing, it’s currently at a 20/61 detection rate.
Figure 1. AV detection over time

The Linux variant shares characteristics with its Windows counterpart, most notable being core functionality, the large file size (8MB +) and the use of Golang obfuscator Gobfuscate. A distinguishing characteristic of the Linux version was the presence of debug output containing datetime data.
Figure 2. Debug Output

ChaChi leverages custom nameservers that double as C2s to support the DNS tunneling protocol. As such the C2 hosts can be identified with passive DNS analysis of the name server domains. Analysis shows that the majority of ChaChi infrastructure has been parked or offline since 23-24 June 2021. The two exceptions to this appear to be domains ns1.ccenter.tech and ns2.spm.best.
Figure 3. C2 Whois and nameservers example

At the time of this blog, two domains from the Linux variant (sbvjhs.xyz and sbvjhs.club) resolved to Amazon IP address 99.83.154.118. This IP is an AWS Global accelerator host and has several AV detections on VirusTotal, however, our analysis indicates this is most likely used by Namecheap for domain parking purposes and should not be used as a ChaChi IOC. The following table lists known Chachi nameservers along with their resolutions. Several domains have been parked on either Amazon or Namecheap but these were filtered out.

HOSTNAMEIP_ADDRASNCOUNTRYFIRST_SEENLAST_SEEN
ns1.englishdialoge.xyz160.20.147.18430823:”combahton GmbH”GermanyThu, 26 Nov 2020 23:27:18 -0800Thu, 24 Jun 2021 09:22:03 -0700
ns2.englishdialoge.xyz160.20.147.18430823:”combahton GmbH”GermanyThu, 26 Nov 2020 23:27:18 -0800Thu, 24 Jun 2021 09:22:03 -0700
ns1.englishdict.xyz172.96.189.16720068:”HAWKHOST”CanadaThu, 05 Nov 2020 03:39:33 -0800Thu, 24 Jun 2021 06:26:43 -0700
ns2.englishdict.xyz172.96.189.16720068:”HAWKHOST”CanadaThu, 05 Nov 2020 03:39:33 -0800Thu, 24 Jun 2021 06:26:43 -0700
ns1.english-breakfast.xyz172.96.189.2220068:”HAWKHOST”CanadaTue, 15 Dec 2020 15:45:14 -0800Thu, 24 Jun 2021 13:38:42 -0700
ns1.english-breakfast.xyz172.96.189.2220068:”HAWKHOST”CanadaTue, 15 Dec 2020 15:45:14 -0800Thu, 24 Jun 2021 13:38:42 -0700
ns1.pump-online.xyz172.96.189.24620068:”HAWKHOST”CanadaTue, 15 Dec 2020 15:45:55 -0800Thu, 24 Jun 2021 05:00:38 -0700
ns2.english-breakfast.xyz172.96.189.24620068:”HAWKHOST”CanadaTue, 15 Dec 2020 15:45:14 -0800Thu, 24 Jun 2021 13:38:42 -0700
ns2.english-breakfast.xyz172.96.189.24620068:”HAWKHOST”CanadaTue, 15 Dec 2020 15:45:14 -0800Thu, 24 Jun 2021 13:38:42 -0700
ns2.pump-online.xyz172.96.189.24620068:”HAWKHOST”CanadaTue, 15 Dec 2020 15:45:55 -0800Thu, 24 Jun 2021 05:00:38 -0700
ns1.blitzz.best185.185.27.3201206:”Droptop GmbH”GermanySat, 06 Jun 2020 01:29:35 -0700Wed, 02 Jun 2021 11:14:52 -0700
ns2.blitzz.best185.185.27.3201206:”Droptop GmbH”GermanySat, 06 Jun 2020 01:29:35 -0700Wed, 02 Jun 2021 11:14:52 -0700
ns1.firefox-search.xyz185.186.245.8540824:”WZCOM”United StatesMon, 07 Sep 2020 15:35:41 -0700Wed, 23 Jun 2021 07:31:39 -0700
ns2.firefox-search.xyz185.186.245.8540824:”WZCOM”United StatesMon, 07 Sep 2020 15:35:41 -0700Wed, 23 Jun 2021 07:31:39 -0700
ns1.reportservicefuture.website185.193.38.6057878:”Prager Connect GmbH”FranceSat, 09 May 2020 11:04:41 -0700Sun, 02 May 2021 08:04:13 -0700
ns2.reportservicefuture.website185.193.38.6057878:”Prager Connect GmbH”FranceSat, 09 May 2020 11:04:41 -0700Sun, 02 May 2021 08:04:13 -0700
ns1.wiki-text.xyz193.239.84.2059009:”M247 Ltd”United KingdomThu, 03 Sep 2020 15:58:08 -0700Wed, 23 Jun 2021 08:18:42 -0700
ns2.wiki-text.xyz193.239.84.2059009:”M247 Ltd”United KingdomThu, 03 Sep 2020 15:58:08 -0700Wed, 23 Jun 2021 08:18:42 -0700
ns1.visual-translator.xyz193.239.85.559009:”M247 Ltd”RomaniaThu, 03 Sep 2020 14:35:02 -0700Wed, 23 Jun 2021 08:18:41 -0700
ns2.visual-translator.xyz193.239.85.559009:”M247 Ltd”RomaniaThu, 03 Sep 2020 14:35:02 -0700Wed, 23 Jun 2021 08:18:41 -0700
ns1.sbvjhs.xyz194.187.249.1029009:”M247 Ltd”FranceSat, 01 Aug 2020 21:29:06 -0700Wed, 23 Jun 2021 07:08:08 -0700
ns2.sbvjhs.xyz194.187.249.1029009:”M247 Ltd”FranceSat, 01 Aug 2020 21:29:06 -0700Wed, 23 Jun 2021 07:08:08 -0700
ns1.statistics-update.xyz194.5.249.1864398:”Nxtservers Srl”RomaniaFri, 31 Jul 2020 09:23:54 -0700Wed, 23 Jun 2021 06:56:20 -0700
ns2.statistics-update.xyz194.5.249.1864398:”Nxtservers Srl”RomaniaFri, 31 Jul 2020 09:23:54 -0700Wed, 23 Jun 2021 06:56:20 -0700
ns1.accounting-consult.xyz194.5.249.18064398:”Nxtservers Srl”RomaniaSun, 02 Aug 2020 06:27:13 -0700Wed, 23 Jun 2021 07:37:33 -0700
ns2.accounting-consult.xyz194.5.249.18064398:”Nxtservers Srl”RomaniaSun, 02 Aug 2020 06:27:13 -0700Wed, 23 Jun 2021 07:37:33 -0700
ns1.ntservicepack.com194.5.250.21664398:”Nxtservers Srl”RomaniaWed, 29 Apr 2020 10:19:42 -0700Tue, 24 Nov 2020 00:58:02 -0800
ns2.ntservicepack.com194.5.250.21664398:”Nxtservers Srl”RomaniaWed, 29 Apr 2020 10:19:42 -0700Tue, 24 Nov 2020 00:58:02 -0800
ns1.starhouse.xyz198.252.100.3720068:”HAWKHOST”United StatesThu, 26 Nov 2020 21:55:56 -0800Thu, 24 Jun 2021 14:24:10 -0700
ns2.starhouse.xyz198.252.100.3720068:”HAWKHOST”United StatesThu, 26 Nov 2020 21:55:56 -0800Thu, 24 Jun 2021 14:24:10 -0700
ns1.ccenter.tech23.83.133.13619148:”LEASEWEB-USA-PHX-11”United StatesWed, 24 Mar 2021 12:30:02 -0700Tue, 31 Aug 2021 04:10:51 -0700
ns2.ccenter.tech23.83.133.13619148:”LEASEWEB-USA-PHX-11”United StatesWed, 24 Mar 2021 12:30:02 -0700Tue, 31 Aug 2021 04:10:51 -0700
ns1.transnet.wiki45.147.228.4930823:”combahton GmbH”GermanyWed, 24 Mar 2021 12:30:03 -0700Wed, 23 Jun 2021 08:13:07 -0700
ns2.transnet.wiki45.147.228.4930823:”combahton GmbH”GermanyWed, 24 Mar 2021 12:30:03 -0700Wed, 23 Jun 2021 08:13:07 -0700
ns1.productoccup.tech45.147.229.2930823:”combahton GmbH”GermanyTue, 23 Mar 2021 03:17:32 -0700Thu, 24 Jun 2021 07:16:58 -0700
ns2.productoccup.tech45.147.229.2930823:”combahton GmbH”GermanyTue, 23 Mar 2021 03:17:32 -0700Thu, 24 Jun 2021 07:16:58 -0700
ns2.spm.best72.52.178.2332244:”LIQUIDWEB”United StatesFri, 23 Jul 2021 04:32:25 -0700Tue, 31 Aug 2021 06:03:43 -0700
ns1.sbvjhs.club89.38.225.2089009:”M247 Ltd”SingaporeSun, 02 Aug 2020 05:45:47 -0700Wed, 23 Jun 2021 11:33:13 -0700
ns2.sbvjhs.club89.38.225.2089009:”M247 Ltd”SingaporeSun, 02 Aug 2020 05:45:47 -0700Wed, 23 Jun 2021 11:33:13 -0700
ns1.serchtext.xyz89.41.26.1739009:”M247 Ltd”United StatesMon, 02 Nov 2020 13:30:18 -0800Thu, 24 Jun 2021 06:26:39 -0700
ns2.serchtext.xyz89.41.26.1739009:”M247 Ltd”United StatesMon, 02 Nov 2020 13:30:18 -0800Thu, 24 Jun 2021 06:26:39 -0700

 

Conclusion

Many actors target multiple architectures to increase their footprint, so this may be the motive here and could represent an evolution in PYSA operations. It is currently unclear if the Linux variant was used in operations, however it was observed prior to the associated infrastructure going offline. The observed debug output however may indicate the specimen is still in the testing phase.

Ransomware is hugely lucrative and actors are continuously looking for any edge that will increase their profits. While ransomware activity involving Linux Servers and cloud infrastructure remains rare, it still poses a real threat to business operations and customer data. Indicators for this activity are available on the Lacework Labs’s Github. If you found this blog useful then please share and follow us on LinkedIn and Twitter!

Source: https://www.lacework.com/blog/pysa-ransomware-gang-adds-linux-support/?web_view=true

Click to comment
Exit mobile version