The recently learned Linux-Based ransomware pressure acknowledged as Cheerscrypt has been attributed to a Chinese cyber espionage team regarded for working short-lived ransomware techniques.
Cybersecurity agency Sygnia attributed the assaults to a menace actor it tracks below the name Emperor Dragonfly, which is also recognised as Bronze Starlight (Secureworks) and DEV-0401 (Microsoft).
Use of Cheerscrypt
Cheerscrypt was first analyzed by Trend Micro in May 2022, like other ransomware families employed by the APT group, the Cheerscrypt ransomware encryptor was also created from the code of Babuk ransomware which was leaked online in June 2021.
The use of Cheerscrypt is the hottest addition to a extended list of ransomware family members beforehand deployed by the team in minor more than a year, which includes LockFile, Atom Silo, Rook, Evening Sky, Pandora, and LockBit 2..
The attackers also delivered three Go-based tools along with the beacon, a keylogger that upload the keystrokes to Alibaba Cloud, a customized version of the internet proxy utility called iox, and the tunneling software NPS.
The attackers used the Impacket open-source tool to perform reconnaissance activities and make lateral movements withing the target network.
The menace actor’s modus operandi further stands out for its handling of all stages of the ransomware attack lifecycle.
Cheerscrypt’s links to Emperor Dragonfly similarities in preliminary entry vectors, lateral motion approaches, and the deployment of the encrypted Cobalt Strike beacon by means of DLL side-loading.
Mitigation
- Identify and patch critical vulnerabilities.
- Limit outbound internet access from servers.
- Protect the virtualization platform.
- Limit lateral movement through the network.
- Protect privileged accounts.
IOCS
| MD5 | Description | File Name |
| 37011eed9de6a90f3be3e1cbba6c5ab2 | Encrypted Cobalt Strike payload | C:\Windows\Help\OEM\ContentStore\vlcplayer.dat |
| 240118f6205effcb3a12455a81cfb1c7 | Weaponized DLL loaded by FCAuth.exe | C:\Windows\Help\Corporate\utilsdll.dll |
| e5fd4d5774ad97e5c04b69deae33dc9e | Weaponized DLL loaded by mfeann.exe | C:\Windows\debug\LockDown.dll |
| 2893d476408e23b7e8a65c6898fe43fa | Encrypted Cobalt Strike payload | C:\Windows\Help\Corporate\auth.dat |
| 8161d8339411ddd6d99d54d3aefa2943 | Encrypted Cobalt Strike payload | C:\Windows\debug\debug.dat |
| 5a852305ffb7b5abeb39fcb9a37122ff | Weaponized DLL loaded by vlc.exe | C:\Windows\Help\Corporate\libvlc.dll |
| f0656e3a70ab0a10f8d054149f12c935 | Encrypted Cobalt Strike payload | C:\Windows\Help\Corporate\auth.dat |
| 37011eed9de6a90f3be3e1cbba6c5ab2 | Encrypted Cobalt Strike payload | C:\Windows\Help\Corporate\vlcplayer.dat |
| IP Address | Description | URL |
| 207[.]148[.]122[.]171 | C&C server | api[.]rogerscorp[.]org |
| 139[.]180[.]217[.]203 | C&C server (Cobalt Strike Beacon was downloaded from this IP) | |
| 178[.]128[.]102[.]13 | Cobalt Strike C&C server | |
| 139[.]59[.]243[.]219 | Cobalt Strike C&C server | |
| 128[.]199[.]151[.]146 | NPS server |
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment