Hackers in China have been linked to the Cheerscrypt ransomware.

A Chinese hacking group known as “Emperor Dragonfly” has been linked to the Cheerscrypt ransomware, and they are known to frequently switch between ransomware families to avoid being caught. Since 2021, the ransomware group has been observed employing multiple ransomware families under various aliases, including Bronze Starlight (Secureworks) and DEV-0401 (Microsoft).

Though it appears that the hacking group is running a ransomware operation, prior research has shown that many of their victims are of interest to the Chinese government. Researchers have concluded that the hacking group’s ransomware activities may be a front for Chinese government-sponsored cyber espionage.

Night Sky and Cheerscrypt

Sygnia’s security experts determined during an incident response earlier this year that the attackers used the Apache ‘Log4Shell’ Log4j vulnerability (CVE-2021-44228) to execute PowerShell commands, which in turn initiates the DLL-sideloading technique typical of Night Sky TTPs. Then, they planted a Cobalt Strike beacon linked to a Command and Control (C2) address normally used for Night Sky operations. Attackers used a modified version of the Aliyun OSS keylogger, a modified version of the ‘IOX’ port-forwarding and proxy tool, and a modified version of the ‘NPS’ tunnelling tool, all of which are Go tools that are rarely seen in the ransomware space. While the attack followed the same pattern of reconnaissance and lateral movement as previous Night Sky attacks, the ransomware strain used to encrypt Windows and Linux ESXi machines was not Night Sky but rather Cheerscrypt.

In May of 2022, researchers at Trend Micro discovered an encryptor for VMware ESXi servers, which they later dubbed the “Cheers” ransomware. The hackers, like other enterprise-focused ransomware groups, break into systems, steal data, and encrypt devices. This information is then used in a second extortion attempt before the victim is finally forced to pay the demanded ransom. Below is an example of a data leak website that would be used if a ransom was not paid.

Frequently switching ransomware strains

Sygnia claims that Cheerscrypt is just another example of Emperor Dragonfly’s ongoing campaign of rebranding its payload in an attempt to avoid being traced. Rather than acting as a RaaS (Ransomware-as-a-Service) platform for affiliates, the ransomware group is acting as a solitary “lone wolf” in the cybercriminal underworld. According to a report published by Secureworks in June 2022, the threat actor uses ransomware families such as Night Sky, Rook, Pandora, and AtomSilo to disguise government-sponsored cyberespionage campaigns as financially motivated attacks. The same month, Microsoft added the hacking group they call DEV-0401 to a list of ransomware operations and said they were likely Chinese threat actors.

The Microsoft threat intelligence researchers noted that DEV-0401 “appears to be an activity group involved in all stages of their attack lifecycle,” beginning with gaining access to compromised systems and ending with the creation of ransomware. However, “they seem to take some inspiration from successful RaaS operations with the frequent rebranding of their ransomware payloads,” as one researcher put it. When compared to other human-operated ransomware threat actors tracked by Microsoft, DEV-0401 stands out as the only group that is indeed based in China. They were constantly changing ransomware families, as discovered by both Secureworks and Microsoft, and these families included LockFile and LockBit 2.0 among others.

There are many similarities between the code bases of Night Sky, Pandora, and Rook, all of which are based on the stolen source code of another game called Babuk. Trend Micro has also stated that Cheerscrypt appears to be based on Babuk, so the pieces seem to fit together. Whatever the true motivations of the group known as “Emperor Dragonfly,” exploiting vulnerabilities in publicly accessible servers on the Internet is a common tactic, so it is critical to install all available security patches as soon as possible. Since this organization is known to exploit the Log4j flaw in VMware Horizon servers, deploying the latest patches for these devices should be a top priority.

Defending Against Emperor Dragonfly

APPENDIX I: INDICATORS OF COMPROMISE 

 Cobalt Strike Beacons 

MD5	Description	File Name
37011eed9de6a90f3be3e1cbba6c5ab2	Encrypted Cobalt Strike payload	C:\Windows\Help\OEM\ContentStore\vlcplayer.dat
37011eed9de6a90f3be3e1cbba6c5ab2	Encrypted Cobalt Strike payload	C:\Windows\Help\OEM\ContentStore\vlcplayer.dat
37011eed9de6a90f3be3e1cbba6c5ab2	Encrypted Cobalt Strike payload	C:\Windows\Help\OEM\ContentStore\vlcplayer.dat
2893d476408e23b7e8a65c6898fe43fa	Encrypted Cobalt Strike payload	C:\Windows\Help\Corporate\auth.dat
8161d8339411ddd6d99d54d3aefa2943	Encrypted Cobalt Strike payload	C:\Windows\debug\debug.dat
5a852305ffb7b5abeb39fcb9a37122ff	Weaponized DLL loaded by vlc.exe	C:\Windows\Help\Corporate\libvlc.dll
f0656e3a70ab0a10f8d054149f12c935	Encrypted Cobalt Strike payload	C:\Windows\Help\Corporate\auth.dat
37011eed9de6a90f3be3e1cbba6c5ab2	Encrypted Cobalt Strike payload	C:\Windows\Help\Corporate\vlcplayer.dat

Go Tools

MD5	Description	File Name
5695de561a065123178067fcedf39ce3	NPC client for NPS tunnel tool	C:\Windows\Help\mui\0409\WindowsUpdate.exe
ea4ca87315d14f5142aaef1f5e287417	Keylogger	C:\Windows\Help\OEM\ContentStore.exe
5a6008cf994779cde1698a0e80bb817d	IOX port forwarder and proxy	C:\Windows\Help\Windows\dec.exe

 Additional Artifacts

Artifact	Description
GrPpQGgI4se5fTIRkxBj/nfbcPvfJWpyY5EtRD0hf/CW9u6cXM4f4VKyyzaHJG/OLcdjB95YaMDP6Y1d-Mg	Go Build ID of NPS client-side binary (WindowsUpdate.exe)
GriAm-TYSQig04-nXbTE/9gsYQSitnL9GPHKgpNUX/	Go Build ID of the keylogger (ContentStore.exe)
QA-vmpyo7vFHuU7RQ\ Y/ _NwncoU6QsMYGeukgxTd
System Service Update	Service name; persistency mechanism for NPS client-side binary
C85A6814B99C8302AF484563D47D9658	MD5 hash of SharpShares, an open-source tool to enumerate shares
07d14d16d21d21d00042d41d00041d47e4e0ae17960b2a5b4fd6107fbb0926	JARM hash of the Cobalt Strike C&C servers

 Network Indicators

IP Address	Description	URL
207[.]148[.]122[.]171	C&C server	api[.]rogerscorp[.]org
139[.]180[.]217[.]203	C&C server (Cobalt Strike Beacon was downloaded from this IP)
178[.]128[.]102[.]13	Cobalt Strike C&C server
139[.]59[.]243[.]219	Cobalt Strike C&C server
128[.]199[.]151[.]146	NPS server

 Legitimate Executables  

MD5	Description	File Name
322ead69300501356b13d751165daa	Signed McAfee file used to side-load LockDown.dll	c:\Windows\debug\mfeann.exe
51be3e3a8101bc4298b43a64540c422b	Signed FortiClient file used to side-load utilsdll.dll	C:\Windows\Help\Corporate\FCAuth.exe
e2904f5301b35b2722faf578d1f7a4d4	Signed VLC file used to side-load libvlc.dll	C:\Windows\Help\Corporate\vlc.exe

APPENDIX II: MITRE ATT&CK TTPS

1. Initial Access
   1. T1190: Exploit Public-Facing Application
2. Execution
   1. T1059.001: Command and Scripting Interpreter: PowerShell
   2. T1059.003: Command and Scripting Interpreter: Windows Command Shell
   3. T1047: Windows Management Instrumentation
   4. T1569.002: System Services: Service Execution
3. Persistence
   1. T1543.003: Create or Modify System Process: Windows Service
4. Defense Evasion
   1. T1027.002: Obfuscated Files or Information: Software Packing
   2. T1574.002: Hijack Execution Flow: DLL Side-Loading
   3. T1070.004: Indicator Removal on Host: File Deletion
5. Discovery
   1. T1135: Network Share Discovery
   2. T1087.002: Account Discovery: Domain Account
   3. T1082: System Information Discovery
   4. T1016: System Network Configuration Discovery
6. Lateral Movement
   1. T1570: Lateral Tool Transfer
   2. T1021.001: Remote Services: Remote Desktop Protocol
7. Collection
   1. T1039: Data from Network Shared Drive
   2. T1056.001: Input Capture: Keylogging
8. Command & Control
   1. T1090: Proxy
   2. T1095: Non-Application Layer Protocol
   3. T1572: Protocol Tunneling
   4. T1071.001: Application Layer Protocol: Web Protocols
   5. T1132.001: Data Encoding: Standard Encoding
   6. T1573: Encrypted Channel
9. Exfiltration
   1. T1048: Exfiltration Over Alternative Protocol
   2. T1567.002: Exfiltration Over Web Service: Exfiltration to Cloud Storage
10. Impact
    1. T1486: Data Encrypted for Impact

Contributors: Oren Biderman, Amnon Kushnir, Noam Lifshitz, Ori Porag, Yoav Mazor, Erez Kalman, Haim Nachmias