SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nightsky (Back to overview)

NightSky

aka: Night Sky

There is no description at this point.

References
2022-06-23SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20220623:bronze:8bccd74, author = {Counter Threat Unit ResearchTeam}, title = {{BRONZE STARLIGHT Ransomware Operations Use HUI Loader}}, date = {2022-06-23}, organization = {Secureworks}, url = {https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader}, language = {English}, urldate = {2022-09-20} } BRONZE STARLIGHT Ransomware Operations Use HUI Loader
ATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora PlugX Quasar RAT Rook SodaMaster
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-02-01Youtube (OALabs)OALabs
@online{oalabs:20220201:how:5af03e0, author = {OALabs}, title = {{How To Unpack VMProtect 3 (x64) Night Sky Ransomware With VMPDump [Patreon Unlocked]}}, date = {2022-02-01}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=Yzt_zOO8pDM}, language = {English}, urldate = {2022-02-02} } How To Unpack VMProtect 3 (x64) Night Sky Ransomware With VMPDump [Patreon Unlocked]
NightSky
2022-01-25CynetOrion Threat Research and Intelligence Team
@online{team:20220125:threats:5269cbc, author = {Orion Threat Research and Intelligence Team}, title = {{Threats Looming Over the Horizon}}, date = {2022-01-25}, organization = {Cynet}, url = {https://www.cynet.com/attack-techniques-hands-on/threats-looming-over-the-horizon/}, language = {English}, urldate = {2022-01-28} } Threats Looming Over the Horizon
Cobalt Strike Meterpreter NightSky
2022-01-11Twitter (@cglyer)Christopher Glyer
@online{glyer:20220111:cn:250fa8a, author = {Christopher Glyer}, title = {{Tweet on CN based ransomware operator using log4shell to deploy NightSky}}, date = {2022-01-11}, organization = {Twitter (@cglyer)}, url = {https://twitter.com/cglyer/status/1480734487000453121}, language = {English}, urldate = {2022-07-25} } Tweet on CN based ransomware operator using log4shell to deploy NightSky
NightSky BRONZE STARLIGHT
2022-01-11Twitter (@cglyer)Christopher Glyer
@online{glyer:20220111:thread:ae5ec3d, author = {Christopher Glyer}, title = {{Thread on DEV-0401, a china based ransomware operator exploiting VMware Horizon with log4shell and deploying NightSky ransomware}}, date = {2022-01-11}, organization = {Twitter (@cglyer)}, url = {https://twitter.com/cglyer/status/1480742363991580674}, language = {English}, urldate = {2022-01-25} } Thread on DEV-0401, a china based ransomware operator exploiting VMware Horizon with log4shell and deploying NightSky ransomware
Cobalt Strike NightSky
2022-01-06BleepingComputer
@online{bleepingcomputer:20220106:night:7b146e2, author = {BleepingComputer}, title = {{Night Sky is the latest ransomware targeting corporate networks}}, date = {2022-01-06}, url = {https://www.bleepingcomputer.com/news/security/night-sky-is-the-latest-ransomware-targeting-corporate-networks/}, language = {English}, urldate = {2022-01-12} } Night Sky is the latest ransomware targeting corporate networks
NightSky
2021-12-11MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20211211:guidance:fb6acc1, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability}}, date = {2021-12-11}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation}, language = {English}, urldate = {2022-07-25} } Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability
Khonsari NightSky BRONZE STARLIGHT
Yara Rules
[TLP:WHITE] win_nightsky_auto (20230715 | Detects win.nightsky.)
rule win_nightsky_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.nightsky."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nightsky"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 41b840000800 ff15???????? 4c8bf0 4885c0 74e0 488b4d80 4c8bfb }
            // n = 7, score = 100
            //   41b840000800         | fsub                dword ptr [esi + 0x270bf526]
            //   ff15????????         |                     
            //   4c8bf0               | and                 eax, ebx
            //   4885c0               | mov                 ebx, dword ptr [esp + 0xc]
            //   74e0                 | inc                 ecx
            //   488b4d80             | xor                 eax, esp
            //   4c8bfb               | inc                 esp

        $sequence_1 = { 4c23c8 48ffc2 483bd3 0f8269ffffff 488b5c2408 488b742410 488b7c2418 }
            // n = 7, score = 100
            //   4c23c8               | test                eax, eax
            //   48ffc2               | je                  0x3ca
            //   483bd3               | mov                 eax, 0xff
            //   0f8269ffffff         | dec                 eax
            //   488b5c2408           | lea                 edx, [0x1007a]
            //   488b742410           | dec                 eax
            //   488b7c2418           | lea                 ecx, [0x53ba6]

        $sequence_2 = { 498bc9 48c1e910 0fb6d1 498bc9 48c1e918 460fb68422e0b20400 420fb68c21e0b00400 }
            // n = 7, score = 100
            //   498bc9               | dec                 eax
            //   48c1e910             | mov                 dword ptr [edi + 0x88], 1
            //   0fb6d1               | dec                 esp
            //   498bc9               | mov                 eax, dword ptr [edi + 0x10]
            //   48c1e918             | dec                 eax
            //   460fb68422e0b20400     | lea    eax, [0x37bc3]
            //   420fb68c21e0b00400     | ret    

        $sequence_3 = { b808000000 48f7e5 490f40c0 488bc8 e8???????? 488bf0 4885db }
            // n = 7, score = 100
            //   b808000000           | inc                 esi
            //   48f7e5               | dec                 eax
            //   490f40c0             | lea                 ecx, [eax + eax*4]
            //   488bc8               | dec                 eax
            //   e8????????           |                     
            //   488bf0               | lea                 eax, [0x13342]
            //   4885db               | cmp                 dword ptr [ebx + 0x10], 0

        $sequence_4 = { 4181f3b3697961 6698 66400fb6f5 490fb7c4 41ffcb 4080cf30 4c03d9 }
            // n = 7, score = 100
            //   4181f3b3697961       | dec                 eax
            //   6698                 | shl                 ebx, 2
            //   66400fb6f5           | dec                 esp
            //   490fb7c4             | mov                 eax, ebx
            //   41ffcb               | movzx               edx, byte ptr [ecx + esi + 0x4b2e0]
            //   4080cf30             | movzx               eax, byte ptr [eax + esi + 0x4b0e0]
            //   4c03d9               | shl                 eax, 8

        $sequence_5 = { 8841ff 4d85db 740b c6013d 48ffc1 49ffc0 eb0e }
            // n = 7, score = 100
            //   8841ff               | test                edx, edx
            //   4d85db               | je                  0x91d
            //   740b                 | imul                ebx, ebp, -3
            //   c6013d               | fsub                dword ptr [esi + 0x270bf526]
            //   48ffc1               | add                 al, 0xc
            //   49ffc0               | sti                 
            //   eb0e                 | pop                 eax

        $sequence_6 = { ba10000000 e8???????? 498bcc e8???????? 4c8b642430 48c7432007000000 48896b18 }
            // n = 7, score = 100
            //   ba10000000           | dec                 eax
            //   e8????????           |                     
            //   498bcc               | mov                 eax, edx
            //   e8????????           |                     
            //   4c8b642430           | dec                 eax
            //   48c7432007000000     | shr                 eax, 0x1d
            //   48896b18             | inc                 ecx

        $sequence_7 = { 03c9 48c1e80d 48c1ea18 83e00f 83e20f 0b8c87306d0400 }
            // n = 6, score = 100
            //   03c9                 | dec                 esp
            //   48c1e80d             | mov                 esi, eax
            //   48c1ea18             | dec                 eax
            //   83e00f               | test                eax, eax
            //   83e20f               | mov                 edx, 8
            //   0b8c87306d0400       | dec                 esp

        $sequence_8 = { 488d0d0fda0000 480f45cf 48894b48 e8???????? eb17 4885ff 488d0dead90000 }
            // n = 7, score = 100
            //   488d0d0fda0000       | jmp                 0x1f
            //   480f45cf             | dec                 eax
            //   48894b48             | mov                 dword ptr [esp + 8], ebx
            //   e8????????           |                     
            //   eb17                 | dec                 eax
            //   4885ff               | mov                 dword ptr [esp + 0x10], esi
            //   488d0dead90000       | push                edi

        $sequence_9 = { 4c63d2 488bd9 498bc2 458bf1 48c1f806 488d0d5c110200 }
            // n = 6, score = 100
            //   4c63d2               | inc                 ecx
            //   488bd9               | mov                 eax, 0x40
            //   498bc2               | dec                 eax
            //   458bf1               | lea                 edx, [esp + 0x70]
            //   48c1f806             | dec                 eax
            //   488d0d5c110200       | mov                 ecx, edi

    condition:
        7 of them and filesize < 19536896
}
Download all Yara Rules