Cheerscrypt Ransomware Detection: China-Backed Hackers, Emperor Dragonfly aka Bronze Starlight, Are Behind Ongoing Cyber Attacks

Novel Cheerscrypt Ransomware

Cybersecurity researchers have recently uncovered novel Cheerscrypt Linux-based ransomware. The delivery of ransomware strains has been linked to the China-backed group Emperor Dragonfly also tracked as Bronze Starlight. The hacking collective was also spotted in earlier cyber attacks spreading encrypted Cobalt Strike beacons after gaining initial access to VMware Horizon servers and exploiting the infamous Log4Shell vulnerability.

Detect Cheerscrypt Ransomware and Cobalt Strike Beacon Malware Strains Spread by Emperor Dragonfly

To help organizations withstand the offensive capabilities of Emperor Dragonfly hackers, SOC Prime’s platform has recently released a set of curated Sigma rules for proactive detection of the group’s malicious activity. These Sigma rules crafted by our Threat Bounty Program developers, Zaw Min Htun (ZETA) and Chayanin, are compatible with the industry-leading SIEM, EDR, and XDR platforms and are mapped to the MITRE ATT&CK® framework

The detection algorithm written by Zaw Min Htun (ZETA) addresses the Initial Access and Execution tactics with the corresponding Exploit Public-Facing Application (T1190) and System Services (T1569) ATT&CK techniques while the Sigma rule from Chayanin for DLL side-loading detection addresses the Hijack Execution Flow (T1574) technique from the Defense Evasion tactic repertoire. 

Click the Explore Detections button below to instantly reach relevant Sigma rules related to the adversary operations of the Emperor Dragonfly China-backed actors and explore the comprehensive cyber threat context.

Explore Detections

Emperor Dragonfly Attack Analysis: What’s Behind the Latest Malicious Campaigns of Chinese Hackers

China-backed APT groups are currently on the rise engaged in diverse cyber espionage campaigns. At the turn of 2022, multiple Chinese groups, including Bronze Starlight also known as Emperor Dragonfly or DEV-0401, were behind the distribution of the ShadowPad backdoor. The latter China-linked group is also attributed to the most recent malicious campaigns spreading novel Cheerscrypt Linux-based ransomware. Cheerscrypt is the latest addition to a wide range of ransomware families earlier leveraged by the Chinese threat actors, such as Atom Silo and LockBit 2.0

The report by Sygnia industry experts has uncovered recent adversary campaigns distributing Cheerscrypt and linked them to the Chinese-backed threat actors known as Night Sky. Researchers suggest that Cheerscrypt and Night Sky appear to be rebrands of the same China-linked group tracked as Emperor Dragonfly. 

The report by Trend Micro was the first to shed light on Cheerscrypt, in which this ransomware variant targeting VMware ESXi servers was related to the leaked Babuk source code.

In earlier campaigns dating back to January 2022, Emperor Dragonfly ransomware operators were also involved in the encrypted Cobalt Strike beacon delivery through the exploitation of a critical RCE zero-day in Apache Log4j tracked as CVE-2021-44228 aka Log4Shell. In this campaign, threat actors applied PowerShell to spread the infection further leading to the Cobalt Strike Beacon delivery. The distribution of Cheerscrypt can be attributed to Emperor Dragonfly based on the similarities in the observed adversary TTPs, including initial access vectors, lateral movement approaches, and the Cobalt Strike beacon delivery using DLL side-loading.

What makes Emperor Dragonfly stand out from other ransomware operators is the fact that they conduct the entire malicious campaign on their own and tend to rebrand their payloads. This enables them to evade detection, posing a serious threat to cyber defenders. 

The SOC Prime Threat Bounty Program connects aspiring threat researchers from across the world striving to contribute to collective cyber defense by helping industry peers outpace offensive capabilities. Tap into the ranks of our crowdsourced initiative by crafting your Sigma rules, sharing them with the world, and monetizing your contribution.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts