SYMBOLCOMMON_NAMEaka. SYNONYMS
win.nightsky (Back to overview)

NightSky

aka: Night Sky

There is no description at this point.

References
2022-06-23SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20220623:bronze:8bccd74, author = {Counter Threat Unit ResearchTeam}, title = {{BRONZE STARLIGHT Ransomware Operations Use HUI Loader}}, date = {2022-06-23}, organization = {Secureworks}, url = {https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader}, language = {English}, urldate = {2022-09-20} } BRONZE STARLIGHT Ransomware Operations Use HUI Loader
ATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora PlugX Quasar RAT Rook SodaMaster
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-02-01Youtube (OALabs)OALabs
@online{oalabs:20220201:how:5af03e0, author = {OALabs}, title = {{How To Unpack VMProtect 3 (x64) Night Sky Ransomware With VMPDump [Patreon Unlocked]}}, date = {2022-02-01}, organization = {Youtube (OALabs)}, url = {https://www.youtube.com/watch?v=Yzt_zOO8pDM}, language = {English}, urldate = {2022-02-02} } How To Unpack VMProtect 3 (x64) Night Sky Ransomware With VMPDump [Patreon Unlocked]
NightSky
2022-01-25CynetOrion Threat Research and Intelligence Team
@online{team:20220125:threats:5269cbc, author = {Orion Threat Research and Intelligence Team}, title = {{Threats Looming Over the Horizon}}, date = {2022-01-25}, organization = {Cynet}, url = {https://www.cynet.com/attack-techniques-hands-on/threats-looming-over-the-horizon/}, language = {English}, urldate = {2022-01-28} } Threats Looming Over the Horizon
Cobalt Strike Meterpreter NightSky
2022-01-11Twitter (@cglyer)Christopher Glyer
@online{glyer:20220111:cn:250fa8a, author = {Christopher Glyer}, title = {{Tweet on CN based ransomware operator using log4shell to deploy NightSky}}, date = {2022-01-11}, organization = {Twitter (@cglyer)}, url = {https://twitter.com/cglyer/status/1480734487000453121}, language = {English}, urldate = {2022-07-25} } Tweet on CN based ransomware operator using log4shell to deploy NightSky
NightSky BRONZE STARLIGHT
2022-01-11Twitter (@cglyer)Christopher Glyer
@online{glyer:20220111:thread:ae5ec3d, author = {Christopher Glyer}, title = {{Thread on DEV-0401, a china based ransomware operator exploiting VMware Horizon with log4shell and deploying NightSky ransomware}}, date = {2022-01-11}, organization = {Twitter (@cglyer)}, url = {https://twitter.com/cglyer/status/1480742363991580674}, language = {English}, urldate = {2022-01-25} } Thread on DEV-0401, a china based ransomware operator exploiting VMware Horizon with log4shell and deploying NightSky ransomware
Cobalt Strike NightSky
2022-01-06BleepingComputer
@online{bleepingcomputer:20220106:night:7b146e2, author = {BleepingComputer}, title = {{Night Sky is the latest ransomware targeting corporate networks}}, date = {2022-01-06}, url = {https://www.bleepingcomputer.com/news/security/night-sky-is-the-latest-ransomware-targeting-corporate-networks/}, language = {English}, urldate = {2022-01-12} } Night Sky is the latest ransomware targeting corporate networks
NightSky
2021-12-11MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20211211:guidance:fb6acc1, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability}}, date = {2021-12-11}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation}, language = {English}, urldate = {2022-07-25} } Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability
Khonsari NightSky BRONZE STARLIGHT
Yara Rules
[TLP:WHITE] win_nightsky_auto (20221125 | Detects win.nightsky.)
rule win_nightsky_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.nightsky."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.nightsky"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4c8d0d29f80300 418bd6 4c8d05df01ffff 418bf6 488bcf e8???????? }
            // n = 6, score = 100
            //   4c8d0d29f80300       | xor                 ebx, eax
            //   418bd6               | inc                 ecx
            //   4c8d05df01ffff       | and                 ebx, 0x1f
            //   418bf6               | dec                 eax
            //   488bcf               | lea                 edx, [0x11a0b]
            //   e8????????           |                     

        $sequence_1 = { 4153 440fb7dc 311424 f8 66410fbafbfb 415b }
            // n = 6, score = 100
            //   4153                 | add                 byte ptr [eax], al
            //   440fb7dc             | sal                 di, cl
            //   311424               | dec                 esp
            //   f8                   | mov                 ecx, esp
            //   66410fbafbfb         | sal                 di, 0x25
            //   415b                 | dec                 eax

        $sequence_2 = { 410f9cc3 66440fbdd8 4803e8 f7c4ff3f8f4b 490fbae2c2 410fbaf26c }
            // n = 6, score = 100
            //   410f9cc3             | jmp                 0x30d
            //   66440fbdd8           | dec                 ebx
            //   4803e8               | xchg                dword ptr [edi + esi*8 + 0x528e0], edi
            //   f7c4ff3f8f4b         | xor                 eax, eax
            //   490fbae2c2           | dec                 eax
            //   410fbaf26c           | mov                 ebx, dword ptr [esp + 0x50]

        $sequence_3 = { 410fb6ca 44894560 45338c8d107d0500 45330f 4983c704 44894dd8 4c897df0 }
            // n = 7, score = 100
            //   410fb6ca             | inc                 ecx
            //   44894560             | mov                 dword ptr [ebx + 8], esi
            //   45338c8d107d0500     | dec                 esp
            //   45330f               | mov                 esp, esi
            //   4983c704             | dec                 ecx
            //   44894dd8             | mov                 dword ptr [ebx - 0x80], esi
            //   4c897df0             | dec                 ecx

        $sequence_4 = { 48c7442420c8000000 e8???????? 4881c700010000 4881c3c8000000 4883ee01 7588 }
            // n = 6, score = 100
            //   48c7442420c8000000     | lea    ebp, [0x158c1]
            //   e8????????           |                     
            //   4881c700010000       | cmp                 eax, ebx
            //   4881c3c8000000       | jl                  0x41b
            //   4883ee01             | jmp                 0x4a8
            //   7588                 | jmp                 0x4a2

        $sequence_5 = { 4883ec50 48c7442428feffffff 4d8be0 488bf9 488bf2 4883ce07 }
            // n = 6, score = 100
            //   4883ec50             | cmp                 eax, 6
            //   48c7442428feffffff     | ja    0x510
            //   4d8be0               | dec                 eax
            //   488bf9               | lea                 edx, [0xffff37d6]
            //   488bf2               | mov                 eax, dword ptr [edx + 4]
            //   4883ce07             | dec                 eax

        $sequence_6 = { 4883f842 72e5 4c8d85c0230000 33d2 488d4c246c ff15???????? }
            // n = 6, score = 100
            //   4883f842             | mov                 dword ptr [esp + 0x30], ebx
            //   72e5                 | inc                 ebp
            //   4c8d85c0230000       | xor                 ecx, ecx
            //   33d2                 | mov                 dword ptr [esp + 0x28], 0x8000000
            //   488d4c246c           | mov                 ecx, dword ptr [ebp - 0x20]
            //   ff15????????         |                     

        $sequence_7 = { c4c173590cc1 4c8d0d85840000 c5f359c1 c5fb101d???????? c5fb102d???????? c4e2f1a91d???????? c4e2f1a92d???????? }
            // n = 7, score = 100
            //   c4c173590cc1         | dec                 esp
            //   4c8d0d85840000       | mov                 esi, ecx
            //   c5f359c1             | mov                 edx, 8
            //   c5fb101d????????     |                     
            //   c5fb102d????????     |                     
            //   c4e2f1a91d????????     |     
            //   c4e2f1a92d????????     |     

        $sequence_8 = { 7505 488be9 eb03 4803ed b808000000 48f7e5 490f40c0 }
            // n = 7, score = 100
            //   7505                 | lea                 ecx, [0x16ab7]
            //   488be9               | jmp                 0xe93
            //   eb03                 | inc                 ebp
            //   4803ed               | mov                 ecx, eax
            //   b808000000           | dec                 esp
            //   48f7e5               | mov                 eax, edx
            //   490f40c0             | mov                 dword ptr [esp + 0x20], eax

        $sequence_9 = { 4c8b6d58 4c8d35d1a7ffff 448bd6 418bd9 418bf8 418bc4 48c1e808 }
            // n = 7, score = 100
            //   4c8b6d58             | xor                 esp, dword ptr [ebp + ecx*4 + 0x57510]
            //   4c8d35d1a7ffff       | inc                 ecx
            //   448bd6               | mov                 ecx, ebx
            //   418bd9               | dec                 ecx
            //   418bf8               | shr                 ecx, 8
            //   418bc4               | inc                 edi
            //   48c1e808             | mov                 eax, dword ptr [ebp + eax*4 + 0x57910]

    condition:
        7 of them and filesize < 19536896
}
Download all Yara Rules