Connect with us

Business

PYSA Group Joins the Cabal of Malware Groups Targeting Linux

Published

on

Recently, the PYSA ransomware gang expanded its attack portfolio by adding support to Linux-based systems. Experts noted a Linux version of ChaChi on VirusTotal. ChaChi is a Golang-based DNS tunneling backdoor that uses the domains associated with the PYSA ransomware group.

What has happened?

ChaChi was first uploaded to VirusTotal on June 14 and, at that time, it had only 1 out of 61 antivirus detections. Later in August, Lacework Labs discovered the Linux variant of ChaChi.

  • The Linux variant has most of the same features as its Windows counterparts, such as the core functionality, large file size (larger than 8 MB), and the use of Golang obfuscator Gobfuscate.
  • One of the unique features of the Linux version is the existence of debug output with DateTime data. It uses custom nameservers that double as C2 servers to use the DNS tunneling protocol. 
  • Most of the ChaChi infrastructure has been offline or not active since late June. However, two domains ns1[.]ccenter[.]tech and ns2[.]spm[.]best seem to be online and active.
  • Two of the used domains (sbvjhs[.]xyz/sbvjhs[.]club) are from the Linux variant resolving at Amazon IP address 99[.]83[.]154[.]118. The IP is believed to be used by Namecheap for domain parking.

Other ransomware gangs doing the same

Besides PYSA, several cybercriminals have recently been observed to be targeting Linux-based systems and networks in addition to Windows.

  • In August, the BlackMatter ransomware group had developed a Linux-based encrypter to target VMware’s ESXi VM platform mostly because of its enterprise-wide popularity.
  • Additionally, two ransomware groups known as HelloKitty and REvil were observed to be targeting Linux-based systems, specifically ESXi servers with ELF encryptors.

Conclusion

It is a common tendency observed in many cybercriminals to develop multi-platform malware to expand their victim base. The Linux variant from the PYSA ransomware group has not been observed in any active attacks so far. However, in the future, this malware could be used in attack campaigns. Do watch out!

Source: https://cyware.com/news/pysa-group-joins-the-cabal-of-malware-groups-targeting-linux-7614e5a1

Advertisement
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2023 Cyber Reports Cyber Security News All Rights Reserved Website by Top Search SEO