Malware Update: Education Malware Morphs to be Undetectable
By Mark Orchison - June 28, 2021
A new programming language ‘Go’ or ‘Golang’ is being used to specifically target schools. Once successfully executed, the Trojan enables remote exfiltration of data and control over systems through undetectable traffic through the firewall. Identifying the associated Trojan is made more difficult due to the unfamiliarity of ‘Go’, and specifically how the attackers obfuscate the ‘fingerprint’ of their actions, rendering anti-virus and associated technology incapacitated when seeking to identify cyber related activity. It’s important to understand that the Trojan seeks to present itself as a legitimate service or application. As the fingerprint of how it operates is unknown, the anti-virus passes it by, believing it poses no threat to the network.
The remote access trojan (RAT), named ChaChi, has been tracked by the Blackberry Threat Research and Intelligence Team since 2020. In recent months, Blackberry reports that a more refined version has been developed, and it is this which is targeting education institutions, as reported by the NCSC and the FBI.
Once in place, the attacker laterally moves through the systems, seeking to compromise vulnerabilities on the systems and services. This is relatively easy to do in most schools, hence the attraction to cyber attackers.
The attacker communicates remotely with the Trojan, providing command and control direction using TXT via DNS and is often undetectable through the firewall. Once in place, there’s little that can be done to stop the attacker progressing their attack.
When access to sensitive data and information is obtained, the data is exfiltrated through a tunnel, passing the firewall without detection. In many cases a ransomware malware is then installed, encrypting systems, data and services - with the ransom demand in the many hundreds of thousands of dollars.
Where the ransom is not paid, the exfiltrated data is published on the dark web for other actors to use. In many cases, the data published by these attackers includes academic records, financial records, counselling and child safeguarding records. The consequences of these data dumps are far more than just financial to your staff, students and families.
Regardless of whether a ransom is paid or not, a rebuild of all systems, services and devices is likely to be required. Whilst mostly affecting windows systems, other similar types of Trojans also target Mac OS.
Protecting your institution
The first step in protecting your institution is to understand your vulnerability to an attacker being able to laterally move through your IT systems and services. You can do this through a 9ine Cyber Vulnerability and Penetration Assessment. This includes an internal review, and external assessment of your firewall.
The second step is a security ‘hardening’ of your systems and services. We are often surprised about how misconfigured IT systems and services are in schools. A misconfigured system is a honey pot to an attacker. If you configure your systems properly, you are mostly unlikely to be a victim of an attack. The primary reason that we find for misconfigurations is underinvestment by the institution in terms of training, skills, capability and capacity. This is not necessarily about buying more expensive hardware, it’s about properly configuring what you have bought. This takes time and expertise. 9ine’s Security & Systems Essentials is a subscription that builds capability and capacity in your organization, following the 10-steps to Cyber Security and other frameworks. If you’re looking for protection, Systems & Security Essentials is the cost effective, structured, and risk based modular framework you need.
Immediate actions you can take
Currently, the method of attack is through RDP services through the firewall. Turning these off, or changing the port number can significantly reduce your risk without having to incur any cost.
For UK institutions, you should also register your external IP addresses with the NCSC’s Early Warning Service. They will monitor the external perimeter of your school network for signs of an attack. It’s free.
For all institutions, you can install ‘Logging Made Easy’. A free tool to monitor your Microsoft environment for signs of attack. It’s free. Further information from the NCSC here.
Protecting the community of schools
Sharing the intelligence within this blog with other schools will vastly improve the knowledge of cyber attacks, and importantly, taking simple action such as closing RDP services, will protect other schools from a successful attack.
To learn more about 9ine’s cyber services, get in touch.
Let’s Stay in Touch
Subscribe to our newsletter to receive product announcements & other updates.