PYSA, a ransomware group, will now attack Linux-based computers as well. On VirusTotal, experts discovered a Linux variant of ChaChi – a DNS tunneling backdoor based on Golang that leverages domains connected with the PYSA ransomware gang.
ChaChi was initially submitted to VirusTotal June 14, and the antivirus detections at that time were just 1 out of 61. The Linux version of ChaChi was later found by Lacework Labs in the late August.
Here are a few highlighting points about PYSA’s Linux version:
- Most features of its Linux version and Windows version are similar. For example, large file sizes (over 8 MB), core functionality, and the adoption of Golang obfuscator Gobfuscate.
- Since June last, the majority of the ChaChi infrastructure has been unavailable or inactive. But two domains, ns1[.]ccenter[.]tech and ns2[.]spm[.]best, appear to be up and running.
- The availability of debug output with DateTime data is one of the distinctive characteristics of the Linux version. To leverage the DNS tunneling technology, it employs custom nameservers that also act as C2 servers.
- The domains (sbvjhs[.]xyz and sbvjhs[.]club) are Linux variants that resolve at 99[.]83[.]154[.]118, an Amazon IP address. Namecheap is believed to use this IP for domain parking.
However, the PYSA gang is not the only one targeting both Linux and Windows-based systems and networks. The BlackMatter ransomware gang, HelloKitty, and REvil are other cybercriminals targeting Linux.
Many hackers have been spotted developing multi-platform malware to extend their victim pool. So far, the PYSA ransomware group’s Linux version has not been seen in any current attacks. This virus might, however, be employed in future incidents.