SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nightsky (Back to overview)

NightSky

aka: Night Sky

There is no description at this point.

References
2022-06-23SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20220623:bronze:8bccd74, author = {Counter Threat Unit ResearchTeam}, title = {{BRONZE STARLIGHT Ransomware Operations Use HUI Loader}}, date = {2022-06-23}, organization = {Secureworks}, url = {https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader}, language = {English}, urldate = {2022-09-20} } BRONZE STARLIGHT Ransomware Operations Use HUI Loader
ATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora PlugX Quasar RAT Rook SodaMaster
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-02-01Youtube (OALabs)OALabs
@online{oalabs:20220201:how:5af03e0, author = {OALabs}, title = {{How To Unpack VMProtect 3 (x64) Night Sky Ransomware With VMPDump [Patreon Unlocked]}}, date = {2022-02-01}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=Yzt_zOO8pDM}, language = {English}, urldate = {2022-02-02} } How To Unpack VMProtect 3 (x64) Night Sky Ransomware With VMPDump [Patreon Unlocked]
NightSky
2022-01-25CynetOrion Threat Research and Intelligence Team
@online{team:20220125:threats:5269cbc, author = {Orion Threat Research and Intelligence Team}, title = {{Threats Looming Over the Horizon}}, date = {2022-01-25}, organization = {Cynet}, url = {https://www.cynet.com/attack-techniques-hands-on/threats-looming-over-the-horizon/}, language = {English}, urldate = {2022-01-28} } Threats Looming Over the Horizon
Cobalt Strike Meterpreter NightSky
2022-01-11Twitter (@cglyer)Christopher Glyer
@online{glyer:20220111:cn:250fa8a, author = {Christopher Glyer}, title = {{Tweet on CN based ransomware operator using log4shell to deploy NightSky}}, date = {2022-01-11}, organization = {Twitter (@cglyer)}, url = {https://twitter.com/cglyer/status/1480734487000453121}, language = {English}, urldate = {2022-07-25} } Tweet on CN based ransomware operator using log4shell to deploy NightSky
NightSky BRONZE STARLIGHT
2022-01-11Twitter (@cglyer)Christopher Glyer
@online{glyer:20220111:thread:ae5ec3d, author = {Christopher Glyer}, title = {{Thread on DEV-0401, a china based ransomware operator exploiting VMware Horizon with log4shell and deploying NightSky ransomware}}, date = {2022-01-11}, organization = {Twitter (@cglyer)}, url = {https://twitter.com/cglyer/status/1480742363991580674}, language = {English}, urldate = {2022-01-25} } Thread on DEV-0401, a china based ransomware operator exploiting VMware Horizon with log4shell and deploying NightSky ransomware
Cobalt Strike NightSky
2022-01-06BleepingComputer
@online{bleepingcomputer:20220106:night:7b146e2, author = {BleepingComputer}, title = {{Night Sky is the latest ransomware targeting corporate networks}}, date = {2022-01-06}, url = {https://www.bleepingcomputer.com/news/security/night-sky-is-the-latest-ransomware-targeting-corporate-networks/}, language = {English}, urldate = {2022-01-12} } Night Sky is the latest ransomware targeting corporate networks
NightSky
2021-12-11MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20211211:guidance:fb6acc1, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability}}, date = {2021-12-11}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation}, language = {English}, urldate = {2022-07-25} } Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability
Khonsari NightSky BRONZE STARLIGHT
Yara Rules
[TLP:WHITE] win_nightsky_auto (20230125 | Detects win.nightsky.)
rule win_nightsky_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.nightsky."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nightsky"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4d03c0 498b17 488bc8 e8???????? 4c8b5b08 488b03 6642892c58 }
            // n = 7, score = 100
            //   4d03c0               | mov                 bh, 0xf5
            //   498b17               | inc                 ecx
            //   488bc8               | push                ebx
            //   e8????????           |                     
            //   4c8b5b08             | push                ebx
            //   488b03               | not                 si
            //   6642892c58           | mov                 si, 0x330d

        $sequence_1 = { e8???????? 488bfb 4803ff 4c8d2d2d000100 49837cfd0000 7404 8bc6 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488bfb               | dec                 eax
            //   4803ff               | mov                 ecx, ebp
            //   4c8d2d2d000100       | dec                 esp
            //   49837cfd0000         | mov                 eax, esi
            //   7404                 | xor                 edx, edx
            //   8bc6                 | test                eax, eax

        $sequence_2 = { 498b4c2408 48894b08 48ffc1 b802000000 48f7e1 490f40c5 }
            // n = 6, score = 100
            //   498b4c2408           | rol                 dx, cl
            //   48894b08             | dec                 eax
            //   48ffc1               | lea                 eax, [esp + 0x50]
            //   b802000000           | dec                 ebp
            //   48f7e1               | sub                 eax, ecx
            //   490f40c5             | dec                 eax

        $sequence_3 = { 4983fc07 400f97c7 4883c701 745c 498b4508 498b5d18 4c8d4c2420 }
            // n = 7, score = 100
            //   4983fc07             | lea                 edx, [0xa97a]
            //   400f97c7             | dec                 eax
            //   4883c701             | mov                 edi, eax
            //   745c                 | dec                 eax
            //   498b4508             | test                eax, eax
            //   498b5d18             | je                  0xbce
            //   4c8d4c2420           | dec                 eax

        $sequence_4 = { 420fb68c22e0b10400 440bc1 410fb6c9 41c1e008 420fb68c2180af0400 }
            // n = 5, score = 100
            //   420fb68c22e0b10400     | lea    ecx, [ebx + ebx*4]
            //   440bc1               | jmp                 0x3ae
            //   410fb6c9             | dec                 ebp
            //   41c1e008             | test                eax, eax
            //   420fb68c2180af0400     | jne    0x3ae

        $sequence_5 = { 488b88c0000000 488d05d6400100 395914 4a8b0cf0 498b0c0f }
            // n = 5, score = 100
            //   488b88c0000000       | inc                 ecx
            //   488d05d6400100       | push                edi
            //   395914               | dec                 eax
            //   4a8b0cf0             | mov                 ebp, esp
            //   498b0c0f             | dec                 eax

        $sequence_6 = { 41d3e1 4402c0 488bfc 4881ec80010000 f9 66452bc7 4881e4f0ffffff }
            // n = 7, score = 100
            //   41d3e1               | dec                 eax
            //   4402c0               | shrd                ebp, ebp, 0x3e
            //   488bfc               | xor                 dword ptr [esp], ecx
            //   4881ec80010000       | pop                 ebp
            //   f9                   | inc                 eax
            //   66452bc7             | cmp                 al, bh
            //   4881e4f0ffffff       | cmp                 bh, 0xe1

        $sequence_7 = { 4889442428 488d057c130100 4889442420 4c8b4c2450 4c8b442458 488b542460 33c9 }
            // n = 7, score = 100
            //   4889442428           | cmp                 al, cl
            //   488d057c130100       | dec                 eax
            //   4889442420           | mov                 esi, 0
            //   4c8b4c2450           | add                 dword ptr [eax], eax
            //   4c8b442458           | add                 byte ptr [eax], al
            //   488b542460           | inc                 ecx
            //   33c9                 | not                 eax

        $sequence_8 = { 4156 66440fbeca 0fbfd9 660fb6f9 50 480fb7f1 4d8bd4 }
            // n = 7, score = 100
            //   4156                 | test                ch, 0x3d
            //   66440fbeca           | xor                 al, al
            //   0fbfd9               | dec                 eax
            //   660fb6f9             | add                 esp, 0x20
            //   50                   | pop                 ebx
            //   480fb7f1             | ret                 
            //   4d8bd4               | dec                 eax

        $sequence_9 = { 0f8cc6010000 41b816000000 488d15993c0300 488bcb e8???????? 85c0 }
            // n = 6, score = 100
            //   0f8cc6010000         | sub                 eax, ebp
            //   41b816000000         | stc                 
            //   488d15993c0300       | inc                 ecx
            //   488bcb               | shr                 dl, 0x9b
            //   e8????????           |                     
            //   85c0                 | sub                 dl, 0xbc

    condition:
        7 of them and filesize < 19536896
}
Download all Yara Rules