Revealing Emperor Dragonfly: Night Sky and Cheerscrypt – A Single Ransomware Group – Sygnia

MITRE Techniques

• [T1190] Exploit Public-Facing Application – Initial access via VMware Horizon compromised using the Log4Shell vulnerability. “In January 2022, a VMware Horizon server was compromised by threat actors leveraging the Log4Shell vulnerability (CVE-2021-4428).”
• [T1059.001] Command and Scripting Interpreter: PowerShell – “PowerShell was used to execute reconnaissance commands and communicate with a Command and Control (C&C) server.”
• [T1047] Windows Management Instrumentation – “The threat actors utilized Impacket’s Python modules: ‘SMBExec.py’ and ‘WMIExec.py’ to move laterally and perform reconnaissance.”
• [T1569.002] System Services: Service Execution – “the same compromised user account to deploy both the Cobalt Strike Beacons and the Go binaries. This user account was also used to create a system service which functioned as the Go tools persistence mechanism.”
• [T1543.003] Create or Modify System Process: Windows Service – Persistence via Windows service created for tool persistence.
• [T1574.002] Hijack Execution Flow: DLL Side-Loading – “a signed legitimate executable was abused to side-load a weaponized DLL, which loaded and decrypted a Cobalt Strike Beacon.”
• [T1070.004] Indicator Removal on Host: File Deletion – use of batch execution with temp file deletion (del %TEMP%execute.bat) as part of cleanup.
• [T1135] Network Share Discovery – Discovery and movement within network using Impacket tools to perform remote operations.
• [T1082] System Information Discovery – reconnaissance details gathered during intrusion.
• [T1016] System Network Configuration Discovery – network configuration reconnaissance during the attack.
• [T1570] Lateral Tool Transfer – deployment of three Go binaries alongside Beacons, indicating transfer of secondary tools within the network.
• [T1090] Proxy – IOX acts as a port-forwarder/proxy for tunneling and C2 communication (“IOX port-forwarding and proxy”).
• [T1572] Protocol Tunneling – tools enable tunneling (e.g., ShadowSocks-like functionality) to evade network controls.
• [T1071.001] Application Layer Protocol: Web Protocols – Cobalt Strike beacons communicate with C2 via web protocols.
• [T1048] Exfiltration Over Alternative Protocol – data exfiltration to Mega cloud storage via Rclone.
• [T1567.002] Exfiltration to Cloud Storage – explicit exfiltration to Mega cloud storage service.
• [T1486] Data Encrypted for Impact – Cheerscrypt encrypts Windows and ESXi hosts, delivering the ransomware impact.