A Chinese hacking group known as “Emperor Dragonfly” has been linked to the Cheerscrypt ransomware, and they are known to frequently switch between ransomware families to avoid being caught. Since 2021, the ransomware group has been observed employing multiple ransomware families under various aliases, including Bronze Starlight (Secureworks) and DEV-0401 (Microsoft).
Though it appears that the hacking group is running a ransomware operation, prior research has shown that many of their victims are of interest to the Chinese government. Researchers have concluded that the hacking group’s ransomware activities may be a front for Chinese government-sponsored cyber espionage.
Night Sky and Cheerscrypt
Sygnia’s security experts determined during an incident response earlier this year that the attackers used the Apache ‘Log4Shell’ Log4j vulnerability (CVE-2021-44228) to execute PowerShell commands, which in turn initiates the DLL-sideloading technique typical of Night Sky TTPs. Then, they planted a Cobalt Strike beacon linked to a Command and Control (C2) address normally used for Night Sky operations. Attackers used a modified version of the Aliyun OSS keylogger, a modified version of the ‘IOX’ port-forwarding and proxy tool, and a modified version of the ‘NPS’ tunnelling tool, all of which are Go tools that are rarely seen in the ransomware space. While the attack followed the same pattern of reconnaissance and lateral movement as previous Night Sky attacks, the ransomware strain used to encrypt Windows and Linux ESXi machines was not Night Sky but rather Cheerscrypt.
In May of 2022, researchers at Trend Micro discovered an encryptor for VMware ESXi servers, which they later dubbed the “Cheers” ransomware. The hackers, like other enterprise-focused ransomware groups, break into systems, steal data, and encrypt devices. This information is then used in a second extortion attempt before the victim is finally forced to pay the demanded ransom. Below is an example of a data leak website that would be used if a ransom was not paid.
Frequently switching ransomware strains
Sygnia claims that Cheerscrypt is just another example of Emperor Dragonfly’s ongoing campaign of rebranding its payload in an attempt to avoid being traced. Rather than acting as a RaaS (Ransomware-as-a-Service) platform for affiliates, the ransomware group is acting as a solitary “lone wolf” in the cybercriminal underworld. According to a report published by Secureworks in June 2022, the threat actor uses ransomware families such as Night Sky, Rook, Pandora, and AtomSilo to disguise government-sponsored cyberespionage campaigns as financially motivated attacks. The same month, Microsoft added the hacking group they call DEV-0401 to a list of ransomware operations and said they were likely Chinese threat actors.
The Microsoft threat intelligence researchers noted that DEV-0401 “appears to be an activity group involved in all stages of their attack lifecycle,” beginning with gaining access to compromised systems and ending with the creation of ransomware. However, “they seem to take some inspiration from successful RaaS operations with the frequent rebranding of their ransomware payloads,” as one researcher put it. When compared to other human-operated ransomware threat actors tracked by Microsoft, DEV-0401 stands out as the only group that is indeed based in China. They were constantly changing ransomware families, as discovered by both Secureworks and Microsoft, and these families included LockFile and LockBit 2.0 among others.
There are many similarities between the code bases of Night Sky, Pandora, and Rook, all of which are based on the stolen source code of another game called Babuk. Trend Micro has also stated that Cheerscrypt appears to be based on Babuk, so the pieces seem to fit together. Whatever the true motivations of the group known as “Emperor Dragonfly,” exploiting vulnerabilities in publicly accessible servers on the Internet is a common tactic, so it is critical to install all available security patches as soon as possible. Since this organization is known to exploit the Log4j flaw in VMware Horizon servers, deploying the latest patches for these devices should be a top priority.
Defending Against Emperor Dragonfly
APPENDIX I: INDICATORS OF COMPROMISE
Cobalt Strike Beacons
| MD5 | Description | File Name |
| 37011eed9de6a90f3be3e1cbba6c5ab2 | Encrypted Cobalt Strike payload | C:\Windows\Help\OEM\ContentStore\vlcplayer.dat |
| 37011eed9de6a90f3be3e1cbba6c5ab2 | Encrypted Cobalt Strike payload | C:\Windows\Help\OEM\ContentStore\vlcplayer.dat |
| 37011eed9de6a90f3be3e1cbba6c5ab2 | Encrypted Cobalt Strike payload | C:\Windows\Help\OEM\ContentStore\vlcplayer.dat |
| 2893d476408e23b7e8a65c6898fe43fa | Encrypted Cobalt Strike payload | C:\Windows\Help\Corporate\auth.dat |
| 8161d8339411ddd6d99d54d3aefa2943 | Encrypted Cobalt Strike payload | C:\Windows\debug\debug.dat |
| 5a852305ffb7b5abeb39fcb9a37122ff | Weaponized DLL loaded by vlc.exe | C:\Windows\Help\Corporate\libvlc.dll |
| f0656e3a70ab0a10f8d054149f12c935 | Encrypted Cobalt Strike payload | C:\Windows\Help\Corporate\auth.dat |
| 37011eed9de6a90f3be3e1cbba6c5ab2 | Encrypted Cobalt Strike payload | C:\Windows\Help\Corporate\vlcplayer.dat |
Go Tools
| MD5 | Description | File Name |
| 5695de561a065123178067fcedf39ce3 | NPC client for NPS tunnel tool | C:\Windows\Help\mui\0409\WindowsUpdate.exe |
| ea4ca87315d14f5142aaef1f5e287417 | Keylogger | C:\Windows\Help\OEM\ContentStore.exe |
| 5a6008cf994779cde1698a0e80bb817d | IOX port forwarder and proxy | C:\Windows\Help\Windows\dec.exe |
Additional Artifacts
Artifact | Description |
| GrPpQGgI4se5fTIRkxBj/nfbcPvfJWpyY5EtRD0hf/CW9u6cXM4f4VKyyzaHJG/OLcdjB95YaMDP6Y1d-Mg | Go Build ID of NPS client-side binary (WindowsUpdate.exe) |
| GriAm-TYSQig04-nXbTE/9gsYQSitnL9GPHKgpNUX/ | Go Build ID of the keylogger (ContentStore.exe) |
| QA-vmpyo7vFHuU7RQ\ Y/ _NwncoU6QsMYGeukgxTd | |
| System Service Update | Service name; persistency mechanism for NPS client-side binary |
| C85A6814B99C8302AF484563D47D9658 | MD5 hash of SharpShares, an open-source tool to enumerate shares |
| 07d14d16d21d21d00042d41d00041d47e4e0ae17960b2a5b4fd6107fbb0926 | JARM hash of the Cobalt Strike C&C servers |
Network Indicators
| IP Address | Description | URL |
| 207[.]148[.]122[.]171 | C&C server | api[.]rogerscorp[.]org |
| 139[.]180[.]217[.]203 | C&C server (Cobalt Strike Beacon was downloaded from this IP) | |
| 178[.]128[.]102[.]13 | Cobalt Strike C&C server | |
| 139[.]59[.]243[.]219 | Cobalt Strike C&C server | |
| 128[.]199[.]151[.]146 | NPS server |
Legitimate Executables
| MD5 | Description | File Name |
| 322ead69300501356b13d751165daa | Signed McAfee file used to side-load LockDown.dll | c:\Windows\debug\mfeann.exe |
| 51be3e3a8101bc4298b43a64540c422b | Signed FortiClient file used to side-load utilsdll.dll | C:\Windows\Help\Corporate\FCAuth.exe |
| e2904f5301b35b2722faf578d1f7a4d4 | Signed VLC file used to side-load libvlc.dll | C:\Windows\Help\Corporate\vlc.exe |
APPENDIX II: MITRE ATT&CK TTPS
- Initial Access
- T1190: Exploit Public-Facing Application
- Execution
- T1059.001: Command and Scripting Interpreter: PowerShell
- T1059.003: Command and Scripting Interpreter: Windows Command Shell
- T1047: Windows Management Instrumentation
- T1569.002: System Services: Service Execution
- Persistence
- T1543.003: Create or Modify System Process: Windows Service
- Defense Evasion
- T1027.002: Obfuscated Files or Information: Software Packing
- T1574.002: Hijack Execution Flow: DLL Side-Loading
- T1070.004: Indicator Removal on Host: File Deletion
- Discovery
- T1135: Network Share Discovery
- T1087.002: Account Discovery: Domain Account
- T1082: System Information Discovery
- T1016: System Network Configuration Discovery
- Lateral Movement
- T1570: Lateral Tool Transfer
- T1021.001: Remote Services: Remote Desktop Protocol
- Collection
- T1039: Data from Network Shared Drive
- T1056.001: Input Capture: Keylogging
- Command & Control
- T1090: Proxy
- T1095: Non-Application Layer Protocol
- T1572: Protocol Tunneling
- T1071.001: Application Layer Protocol: Web Protocols
- T1132.001: Data Encoding: Standard Encoding
- T1573: Encrypted Channel
- Exfiltration
- T1048: Exfiltration Over Alternative Protocol
- T1567.002: Exfiltration Over Web Service: Exfiltration to Cloud Storage
- Impact
- T1486: Data Encrypted for Impact
Contributors: Oren Biderman, Amnon Kushnir, Noam Lifshitz, Ori Porag, Yoav Mazor, Erez Kalman, Haim Nachmias
