Skip to content

G1021 Cinnamon Tempest

Cinnamon Tempest is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked Babuk source code. Cinnamon Tempest does not operate their ransomware on an affiliate model or purchase access but appears to act independently in all stages of the attack lifecycle. Based on victimology, the short lifespan of each ransomware variant, and use of malware attributed to government-sponsored threat groups, Cinnamon Tempest may be motivated by intellectual property theft or cyberespionage rather than financial gain.5432

Item Value
ID G1021
Associated Names DEV-0401, Emperor Dragonfly, BRONZE STARLIGHT
Version 1.0
Created 06 December 2023
Last Modified 04 April 2024
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
DEV-0401 4
Emperor Dragonfly 1
BRONZE STARLIGHT 6

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Cinnamon Tempest has used PowerShell to communicate with C2, download files, and execute reconnaissance commands.1
enterprise T1059.003 Windows Command Shell Cinnamon Tempest has executed ransomware using batch scripts deployed via GPO.5
enterprise T1059.006 Python Cinnamon Tempest has used a customized version of the Impacket wmiexec.py module to create renamed output files.5
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Cinnamon Tempest has created system services to establish persistence for deployed tooling.1
enterprise T1140 Deobfuscate/Decode Files or Information Cinnamon Tempest has used weaponized DLLs to load and decrypt payloads.1
enterprise T1484 Domain or Tenant Policy Modification -
enterprise T1484.001 Group Policy Modification Cinnamon Tempest has used Group Policy to deploy batch scripts for ransomware deployment.5
enterprise T1567 Exfiltration Over Web Service -
enterprise T1567.002 Exfiltration to Cloud Storage Cinnamon Tempest has uploaded captured keystroke logs to the Alibaba Cloud Object Storage Service, Aliyun OSS.1
enterprise T1190 Exploit Public-Facing Application Cinnamon Tempest has exploited multiple unpatched vulnerabilities for initial access including vulnerabilities in Microsoft Exchange, Manage Engine AdSelfService Plus, Confluence, and Log4j.5712
enterprise T1657 Financial Theft Cinnamon Tempest has maintained leak sites for exfiltrated data in attempt to extort victims into paying a ransom.5
enterprise T1574 Hijack Execution Flow -
enterprise T1574.001 DLL Cinnamon Tempest has used search order hijacking to launch Cobalt Strike Beacons.52 Cinnamon Tempest has also abused legitimate executables to side-load weaponized DLLs.1
enterprise T1105 Ingress Tool Transfer Cinnamon Tempest has downloaded files, including Cobalt Strike, to compromised hosts.1
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool Cinnamon Tempest has used open-source tools including customized versions of the Iox proxy tool, NPS tunneling tool, Meterpreter, and a keylogger that uploads data to Alibaba cloud storage.12
enterprise T1572 Protocol Tunneling Cinnamon Tempest has used the Iox and NPS proxy and tunneling tools in combination create multiple connections through a single tunnel.1
enterprise T1090 Proxy Cinnamon Tempest has used a customized version of the Iox port-forwarding and proxy tool.1
enterprise T1021 Remote Services -
enterprise T1021.002 SMB/Windows Admin Shares Cinnamon Tempest has used SMBexec for lateral movement.1
enterprise T1080 Taint Shared Content Cinnamon Tempest has deployed ransomware from a batch file in a network share.5
enterprise T1078 Valid Accounts Cinnamon Tempest has used compromised user accounts to deploy payloads and create system services.1
enterprise T1078.002 Domain Accounts Cinnamon Tempest has obtained highly privileged credentials such as domain administrator in order to deploy malware.5
enterprise T1047 Windows Management Instrumentation Cinnamon Tempest has used Impacket for lateral movement via WMI.51

Software

ID Name References Techniques
S1096 Cheerscrypt 13 Hypervisor CLI:Command and Scripting Interpreter Data Encrypted for Impact File and Directory Discovery Service Stop Virtual Machine Discovery
S0154 Cobalt Strike 56 Sudo and Sudo Caching:Abuse Elevation Control Mechanism Bypass User Account Control:Abuse Elevation Control Mechanism Parent PID Spoofing:Access Token Manipulation Token Impersonation/Theft:Access Token Manipulation Make and Impersonate Token:Access Token Manipulation Domain Account:Account Discovery DNS:Application Layer Protocol Web Protocols:Application Layer Protocol File Transfer Protocols:Application Layer Protocol BITS Jobs Browser Session Hijacking JavaScript:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Python:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol or Service Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup LSASS Memory:OS Credential Dumping Security Account Manager:OS Credential Dumping Domain Groups:Permission Groups Discovery Local Groups:Permission Groups Discovery Process Discovery Dynamic-link Library Injection:Process Injection Process Hollowing:Process Injection Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Remote Desktop Protocol:Remote Services SSH:Remote Services Windows Remote Management:Remote Services SMB/Windows Admin Shares:Remote Services Distributed Component Object Model:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S1097 HUI Loader 26 Deobfuscate/Decode Files or Information DLL:Hijack Execution Flow Indicator Blocking:Impair Defenses
S0357 Impacket 51 LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Lateral Tool Transfer Network Sniffing NTDS:OS Credential Dumping LSASS Memory:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Kerberoasting:Steal or Forge Kerberos Tickets Ccache Files:Steal or Forge Kerberos Tickets Service Execution:System Services Windows Management Instrumentation
S0664 Pandora 5216 Web Protocols:Application Layer Protocol Windows Service:Create or Modify System Process Symmetric Cryptography:Encrypted Channel Exploitation for Privilege Escalation DLL:Hijack Execution Flow Ingress Tool Transfer Modify Registry Compression:Obfuscated Files or Information Process Discovery Process Injection Code Signing Policy Modification:Subvert Trust Controls Service Execution:System Services Traffic Signaling
S0013 PlugX 6 Web Protocols:Application Layer Protocol DNS:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Local Data Staging:Data Staged Debugger Evasion Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Mutual Exclusion:Execution Guardrails Exfiltration Over C2 Channel File and Directory Discovery Hidden Files and Directories:Hide Artifacts Hidden Window:Hide Artifacts DLL:Hijack Execution Flow Disable or Modify System Firewall:Impair Defenses Clear Persistence:Indicator Removal File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Local Storage Discovery Masquerade Task or Service:Masquerading Match Legitimate Resource Name or Location:Masquerading Modify Registry Native API Network Share Discovery Non-Application Layer Protocol Non-Standard Port Binary Padding:Obfuscated Files or Information Dynamic API Resolution:Obfuscated Files or Information Obfuscated Files or Information Encrypted/Encoded File:Obfuscated Files or Information Peripheral Device Discovery Process Discovery Query Registry Reflective Code Loading Replication Through Removable Media Scheduled Task:Scheduled Task/Job Screen Capture System Information Discovery System Location Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Time Discovery MSBuild:Trusted Developer Utilities Proxy Execution Malicious File:User Execution System Checks:Virtualization/Sandbox Evasion Dead Drop Resolver:Web Service
S1040 Rclone 1
Archive via Utility:Archive Collected Data Data Transfer Size Limits Exfiltration Over Asymmetric Encrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Exfiltration Over Unencrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Exfiltration to Cloud Storage:Exfiltration Over Web Service File and Directory Discovery
S0633 Sliver 5 Bypass User Account Control:Abuse Elevation Control Mechanism Access Token Manipulation DNS:Application Layer Protocol Web Protocols:Application Layer Protocol Application Layer Protocol PowerShell:Command and Scripting Interpreter Standard Encoding:Data Encoding Steganography:Data Obfuscation Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel File and Directory Discovery Ingress Tool Transfer Obfuscated Files or Information Compile After Delivery:Obfuscated Files or Information Encrypted/Encoded File:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Injection Internal Proxy:Proxy Screen Capture Golden Ticket:Steal or Forge Kerberos Tickets System Network Configuration Discovery System Network Connections Discovery

References

  1. Biderman, O. et al. (2022, October 3). REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP. Retrieved December 6, 2023. 

  2. Counter Threat Unit Research Team . (2022, June 23). BRONZE STARLIGHT RANSOMWARE OPERATIONS USE HUI LOADER. Retrieved December 7, 2023. 

  3. Dela Cruz, A. et al. (2022, May 25). New Linux-Based Ransomware Cheerscrypt Targeting ESXi Devices Linked to Leaked Babuk Source Code. Retrieved December 19, 2023. 

  4. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. 

  5. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023. 

  6. SecureWorks. (n.d.). BRONZE STARLIGHT. Retrieved December 6, 2023. 

  7. Microsoft Threat Intelligence. (2021, December 11). Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability. Retrieved December 7, 2023.