1. Home
  2. Groups
  3. Cinnamon Tempest

Cinnamon Tempest

Cinnamon Tempest is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked Babuk source code. Cinnamon Tempest does not operate their ransomware on an affiliate model or purchase access but appears to act independently in all stages of the attack lifecycle. Based on victimology, the short lifespan of each ransomware variant, and use of malware attributed to government-sponsored threat groups, Cinnamon Tempest may be motivated by intellectual property theft or cyberespionage rather than financial gain.[1][2][3][4]

ID: G1021
Associated Groups: DEV-0401, Emperor Dragonfly, BRONZE STARLIGHT
Version: 1.0
Created: 06 December 2023
Last Modified: 04 April 2024

Associated Group Descriptions

Name Description
DEV-0401

[2]
Emperor Dragonfly

[5]
BRONZE STARLIGHT

[6]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

Cinnamon Tempest has used Impacket for lateral movement via WMI.[1][5]
Enterprise T1090 代理

Cinnamon Tempest has used a customized version of the Iox port-forwarding and proxy tool.[5]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

Cinnamon Tempest has created system services to establish persistence for deployed tooling.[5]
Enterprise T1190 利用公开应用程序漏洞

Cinnamon Tempest has exploited multiple unpatched vulnerabilities for initial access including vulnerabilities in Microsoft Exchange, Manage Engine AdSelfService Plus, Confluence, and Log4j.[1][7][5][4]
Enterprise T1574 .001 劫持执行流: DLL Search Order Hijacking

Cinnamon Tempest has used search order hijacking to launch Cobalt Strike Beacons.[1][4]
.002 劫持执行流: DLL Side-Loading

Cinnamon Tempest has abused legitimate executables to side-load weaponized DLLs.[5]
Enterprise T1572 协议隧道

Cinnamon Tempest has used the Iox and NPS proxy and tunneling tools in combination create multiple connections through a single tunnel.[5]
Enterprise T1140 反混淆/解码文件或信息

Cinnamon Tempest has used weaponized DLLs to load and decrypt payloads.[5]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

Cinnamon Tempest has used PowerShell to communicate with C2, download files, and execute reconnaissance commands.[5]
.003 命令与脚本解释器: Windows Command Shell

Cinnamon Tempest has executed ransomware using batch scripts deployed via GPO.[1]
.006 命令与脚本解释器: Python

Cinnamon Tempest has used a customized version of the Impacket wmiexec.py module to create renamed output files.[1]
Enterprise T1484 .001 域或租户策略修改: Group Policy Modification

Cinnamon Tempest has used Group Policy to deploy batch scripts for ransomware deployment.[1]
Enterprise T1078 有效账户

Cinnamon Tempest has used compromised user accounts to deploy payloads and create system services.[5]
.002 Domain Accounts

Cinnamon Tempest has obtained highly privileged credentials such as domain administrator in order to deploy malware.[1]
Enterprise T1080 污染共享内容

Cinnamon Tempest has deployed ransomware from a batch file in a network share.[1]
Enterprise T1588 .002 获取能力: Tool

Cinnamon Tempest has used open-source tools including customized versions of the Iox proxy tool, NPS tunneling tool, Meterpreter, and a keylogger that uploads data to Alibaba cloud storage.[5][4]
Enterprise T1657 财务窃取

Cinnamon Tempest has maintained leak sites for exfiltrated data in attempt to extort victims into paying a ransom.[1]
Enterprise T1105 输入工具传输

Cinnamon Tempest has downloaded files, including Cobalt Strike, to compromised hosts.[5]
Enterprise T1021 .002 远程服务: SMB/Windows Admin Shares

Cinnamon Tempest has used SMBexec for lateral movement.[5]
Enterprise T1567 .002 通过网络服务渗出: Exfiltration to Cloud Storage

Cinnamon Tempest has uploaded captured keystroke logs to the Alibaba Cloud Object Storage Service, Aliyun OSS.[5]

Software

ID Name References Techniques
S1096 Cheerscrypt [5][3] 数据加密以实现影响, 文件和目录发现, 服务停止
S0154 Cobalt Strike [1][6] BITS任务, Windows管理规范, 从本地系统获取数据, 代理: Domain Fronting, 代理: Internal Proxy, 使用备用认证材料: Pass the Hash, 修改注册表, 创建或修改系统进程: Windows Service, 办公应用启动: Office Template Macros, 加密通道: Asymmetric Cryptography, 加密通道: Symmetric Cryptography, 协议隧道, 反射性代码加载, 反混淆/解码文件或信息, 命令与脚本解释器: JavaScript, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Python, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify Tools, 客户端执行漏洞利用, 屏幕捕获, 应用层协议: DNS, 应用层协议: Web Protocols, 应用层协议: File Transfer Protocols, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Security Account Manager, 数据传输大小限制, 数据混淆: Protocol or Service Impersonation, 数据编码: Standard Encoding, 文件和目录发现, 有效账户: Domain Accounts, 有效账户: Local Accounts, 本机API, 权限提升漏洞利用, 权限组发现: Domain Groups, 权限组发现: Local Groups, 查询注册表, 浏览器会话劫持, 混淆文件或信息: Indicator Removal from Tools, 混淆文件或信息, 滥用权限提升控制机制: Sudo and Sudo Caching, 滥用权限提升控制机制: Bypass User Account Control, 移除指标: Timestomp, 系统二进制代理执行: Rundll32, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 系统网络配置发现, 网络共享发现, 网络服务发现, 访问令牌操控: Parent PID Spoofing, 访问令牌操控: Token Impersonation/Theft, 访问令牌操控: Make and Impersonate Token, 账号发现: Domain Account, 软件发现, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 进程注入: Process Hollowing, 进程注入, 远程服务: Remote Desktop Protocol, 远程服务: SSH, 远程服务: Windows Remote Management, 远程服务: SMB/Windows Admin Shares, 远程服务: Distributed Component Object Model, 远程系统发现, 隐藏伪装: Process Argument Spoofing, 非应用层协议, 预定传输, 颠覆信任控制: Code Signing
S1097 HUI Loader [4][6] 劫持执行流: DLL Search Order Hijacking, 反混淆/解码文件或信息, 妨碍防御: Indicator Blocking
S0357 Impacket [1][5] Windows管理规范, 中间人攻击: LLMNR/NBT-NS Poisoning and SMB Relay, 操作系统凭证转储: NTDS, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSA Secrets, 窃取或伪造Kerberos票据: Kerberoasting, 窃取或伪造Kerberos票据: Ccache Files, 系统服务: Service Execution, 网络嗅探
S0664 Pandora [1][4][5][6] 修改注册表, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 劫持执行流: DLL Side-Loading, 应用层协议: Web Protocols, 权限提升漏洞利用, 流量激活, 混淆文件或信息, 系统服务: Service Execution, 输入工具传输, 进程发现, 进程注入, 颠覆信任控制: Code Signing Policy Modification
S0013 PlugX [6] 伪装: Masquerade Task or Service, 伪装: Match Legitimate Name or Location, 修改注册表, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 劫持执行流: DLL Side-Loading, 劫持执行流: DLL Search Order Hijacking, 反混淆/解码文件或信息, 可信开发者工具代理执行: MSBuild, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 屏幕捕获, 应用层协议: Web Protocols, 应用层协议: DNS, 文件和目录发现, 本机API, 查询注册表, 混淆文件或信息, 系统网络连接发现, 网络共享发现, 网络服务: Dead Drop Resolver, 虚拟化/沙盒规避: System Checks, 输入工具传输, 输入捕获: Keylogging, 进程发现, 隐藏伪装: Hidden Files and Directories, 非应用层协议
S1040 Rclone [5] 归档收集数据: Archive via Utility, 数据传输大小限制, 文件和目录发现, 替代协议渗出: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol, 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol, 通过网络服务渗出: Exfiltration to Cloud Storage
S0633 Sliver [1] 加密通道: Asymmetric Cryptography, 加密通道: Symmetric Cryptography, 屏幕捕获, 应用层协议: DNS, 应用层协议: Web Protocols, 数据混淆: Steganography, 数据编码: Standard Encoding, 文件和目录发现, 混淆文件或信息: Encrypted/Encoded File, 系统网络连接发现, 系统网络配置发现, 访问令牌操控, 输入工具传输, 进程注入, 通过C2信道渗出

References

  1. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
  2. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  3. Dela Cruz, A. et al. (2022, May 25). New Linux-Based Ransomware Cheerscrypt Targeting ESXi Devices Linked to Leaked Babuk Source Code. Retrieved December 19, 2023.
  4. Counter Threat Unit Research Team . (2022, June 23). BRONZE STARLIGHT RANSOMWARE OPERATIONS USE HUI LOADER. Retrieved December 7, 2023.
  1. Biderman, O. et al. (2022, October 3). REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP. Retrieved December 6, 2023.
  2. SecureWorks. (n.d.). BRONZE STARLIGHT. Retrieved December 6, 2023.
  3. Microsoft Threat Intelligence. (2021, December 11). Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability. Retrieved December 7, 2023.