PYSA Group Joins the Cabal of Malware Groups Targeting Linux

What has happened?

• The Linux variant has most of the same features as its Windows counterparts, such as the core functionality, large file size (larger than 8 MB), and the use of Golang obfuscator Gobfuscate.
• One of the unique features of the Linux version is the existence of debug output with DateTime data. It uses custom nameservers that double as C2 servers to use the DNS tunneling protocol. 
• Most of the ChaChi infrastructure has been offline or not active since late June. However, two domains ns1[.]ccenter[.]tech and ns2[.]spm[.]best seem to be online and active.
• Two of the used domains (sbvjhs[.]xyz/sbvjhs[.]club) are from the Linux variant resolving at Amazon IP address 99[.]83[.]154[.]118. The IP is believed to be used by Namecheap for domain parking.

Other ransomware gangs doing the same

• In August, the BlackMatter ransomware group had developed a Linux-based encrypter to target VMware's ESXi VM platform mostly because of its enterprise-wide popularity.
• Additionally, two ransomware groups known as HelloKitty and REvil were observed to be targeting Linux-based systems, specifically ESXi servers with ELF encryptors.

Conclusion