New APT Group Red Stinger Targets Military and Critical Infrastructure in Eastern Europe

So-called previously undetected APT (Advanced Persistent Threat) attackers red stinger Believed to be related to attacks targeting Eastern Europe since 2020.

In a report released today, Malwarebytes said “military, transportation and critical infrastructure were some of the companies targeted, some of which were involved in the Eastern Ukraine referendum in September.”

“In some campaigns, attackers were able to steal snapshots, USB drives, keyboard strokes, and microphone recordings.”

Red Stinger overlaps with the threat cluster that Kaspersky revealed last month under the name Bad Magic, which last year targeted government, agricultural and transport organizations in Donetsk, Lugansk and Crimea.

There have been indications that the APT group may have been active since at least September 2021, but Malwarebytes’ latest findings date back nearly a year to the group’s origins, with first activity dating back to December 2020. Done.

The attack chain at the time allegedly utilized a malicious installer file to drop a DBoxShell (aka PowerMagic) implant onto the compromised system. MSI files are downloaded using a Windows shortcut file contained within a ZIP archive.

Subsequent waves detected in April and September 2021 have been observed to utilize a similar attack chain, albeit with minor differences in MSI filenames.

The fourth attack coincided with the launch of Russia’s military invasion of Ukraine in February 2022. The last known activity related to Red Stinger occurred in September 2022, as documented by Kaspersky.

“DBoxShell is malware that uses cloud storage services as a command and control (C&C) mechanism,” said security researchers Roberto Santos and Hossein Jaji.

“This stage acts as an entry point for attackers, allowing them to assess whether a target is interesting or not.

The fifth operation is also notable for providing an alternative to DBoxShell called GraphShell. GraphShell is so named because it uses the Microsoft Graph API for C&C purposes.

Following the initial infection phase, the attackers deploy additional artifacts such as ngrok, rsockstun (a reverse tunneling utility), and binaries to exfiltrate the victim’s data to attacker-controlled Dropbox accounts.

The exact scale of the infection is unknown, but evidence points to two victims in central Ukraine, a military target and a critical infrastructure worker, compromised as part of the February 2022 attacks. there is

In both cases, the attackers leaked screenshots, microphone recordings, and office documents after a period of reconnaissance. One of the victims had her keystrokes recorded and uploaded as well.

On the other hand, the September 2022 invasion set is notable for the fact that it primarily named areas allied with Russia, including officials and individuals involved in the election. In one of her monitored subjects, data was exfiltrated from a USB drive.

Malwarebytes said it also identified an infected library in the Ukrainian city of Vinnytsia as part of the same campaign, making it the only Ukrainian-affiliated entity targeted. The motive is currently unknown.

The origins of this threat group are a mystery, but sometime in December 2022, it was revealed that the attackers had infected their own Windows 10 machines, either by accident or for testing purposes (named TstUser), and used their modus operandi.

Two things stand out. English is selected as the default language and the Fahrenheit temperature scale is used to display the weather. This probably suggests the involvement of native English speakers.

“In this case, it is not easy to attribute the attack to a specific country,” the researchers said. “Some victims are aligned with Russia and others with Ukraine, so either the country concerned or the linked group could be held responsible.”

“What is clear is that surveillance and data collection were the primary motives for the attack. It was clearly targeting a specific entity.”