Researchers Link Cheerscrypt Linux-Based Ransomware to Chinese Hackers

Home/Compromised, Data Breach, Exploitation, IOC's, Linux Malware, Malware, Security Advisory, Security Update/Researchers Link Cheerscrypt Linux-Based Ransomware to Chinese Hackers

Researchers Link Cheerscrypt Linux-Based Ransomware to Chinese Hackers

The recently learned Linux-Based ransomware pressure acknowledged as Cheerscrypt has been attributed to a Chinese cyber espionage team regarded for working short-lived ransomware techniques.

Cybersecurity agency Sygnia attributed the assaults to a menace actor it tracks below the name Emperor Dragonfly, which is also recognised as Bronze Starlight (Secureworks) and DEV-0401 (Microsoft).

Use of Cheerscrypt

Cheerscrypt was first analyzed by Trend Micro in May 2022, like other ransomware families employed by the APT group, the Cheerscrypt ransomware encryptor was also created from the code of Babuk ransomware which was leaked online in June 2021.

The use of Cheerscrypt is the hottest addition to a extended list of ransomware family members beforehand deployed by the team in minor more than a year, which includes LockFile, Atom Silo, Rook, Evening Sky, Pandora, and LockBit 2..

The attackers also delivered three Go-based tools along with the beacon, a keylogger that upload the keystrokes to Alibaba Cloud, a customized version of the internet proxy utility called iox, and the tunneling software NPS.

The attackers used the Impacket open-source tool to perform reconnaissance activities and make lateral movements withing the target network.

The menace actor’s modus operandi further stands out for its handling of all stages of the ransomware attack lifecycle.

Cheerscrypt’s links to Emperor Dragonfly similarities in preliminary entry vectors, lateral motion approaches, and the deployment of the encrypted Cobalt Strike beacon by means of DLL side-loading.

Mitigation

  • Identify and patch critical vulnerabilities. 
  • Limit outbound internet access from servers. 
  • Protect the virtualization platform. 
  • Limit lateral movement through the network. 
  • Protect privileged accounts. 

IOCS

MD5 Description File Name 
 37011eed9de6a90f3be3e1cbba6c5ab2Encrypted Cobalt Strike payloadC:\Windows\Help\OEM\ContentStore\vlcplayer.dat
 240118f6205effcb3a12455a81cfb1c7Weaponized DLL loaded by FCAuth.exeC:\Windows\Help\Corporate\utilsdll.dll
 e5fd4d5774ad97e5c04b69deae33dc9eWeaponized DLL loaded by mfeann.exeC:\Windows\debug\LockDown.dll
 2893d476408e23b7e8a65c6898fe43faEncrypted Cobalt Strike payloadC:\Windows\Help\Corporate\auth.dat
 8161d8339411ddd6d99d54d3aefa2943Encrypted Cobalt Strike payloadC:\Windows\debug\debug.dat
 5a852305ffb7b5abeb39fcb9a37122ffWeaponized DLL loaded by vlc.exeC:\Windows\Help\Corporate\libvlc.dll
 f0656e3a70ab0a10f8d054149f12c935Encrypted Cobalt Strike payloadC:\Windows\Help\Corporate\auth.dat
 37011eed9de6a90f3be3e1cbba6c5ab2Encrypted Cobalt Strike payloadC:\Windows\Help\Corporate\vlcplayer.dat
 IP Address Description  URL
 207[.]148[.]122[.]171C&C serverapi[.]rogerscorp[.]org
 139[.]180[.]217[.]203C&C server (Cobalt Strike Beacon was downloaded from this IP) 
 178[.]128[.]102[.]13Cobalt Strike C&C server 
 139[.]59[.]243[.]219Cobalt Strike C&C server 
 128[.]199[.]151[.]146NPS server

Follow Us on: Twitter, InstagramFacebook to get the latest security news!

By | 2022-10-04T15:52:12+05:30 October 4th, 2022|Compromised, Data Breach, Exploitation, IOC's, Linux Malware, Malware, Security Advisory, Security Update|

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!