[MART] - Daily Diary #608 - Emperor Dragonfly Hacking Group

ctas-mat at appgate.com ctas-mat at appgate.com
Tue Oct 4 23:29:23 UTC 2022


I hope everyone is doing well!

Below is the entry for today.

10/04/2022 - Diary entry #608:

Emperor Dragonfly, also known as DEV-0401 and BRONZE STARLIGHT, is a Chinese hacking group that started its activities in mid-2021. Since then, they have been using a great variety of payloads from different ransomware families to evade attribution and they don’t operate in the affiliate model nor in the Ransomware-as-a-service business, controlling all stages of the attack lifecycle independently.

Earlier this year, the group was observed compromising a VMware Horizon server by leveraging the Log4Shell vulnerability. Next, PowerShell was used to execute reconnaissance commands and download a  Cobalt Strike Beacon to communicate with a Command and Control (C&C) server. Then, to move laterally, they used Impacket’s well-known Python modules SMBExec and WMIExec. Finally, they used Rclone, an open-source command-line tool, to exfiltrate sensitive information to the cloud storage service “Mega” and deployed the Cheerscrypt ransomware as their final action.

Cheerscrypt is a ransomware known as a Linux-based ransomware family that targets ESXi servers but it was also observed encrypting the Windows system in the attack detailed above. Besides using Cheerscrypt, the group frequently rebrand the ransomware payloads that they use, such as Night Sky, Rook, Pandora, and AtomSilo with the objective of masking cyberespionage campaigns as financially-motivated attacks.

Using rebranded payloads and not operating as we are used to observing in other ransomware groups allowed this group to stay under the radar, difficulting the attribution of the attacks. As we have covered ransomware source codes and tools being leaked, they all can become powerful tools in the hands of advanced threat actors.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>


Malware Analysis and Research team


E: ctas-mat at appgate.com<mailto:ctas-mat at appgate.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20221004/af176889/attachment.htm>

More information about the MART mailing list