Red Stinger APT Group Targeting Ukrainian Military, Transport Orgs Since 2020

An undetected Red Stinger operation

• The attacks have targeted military, transportation, and critical infrastructure entities across Ukraine.
• Kaspersky analyzed one of the attacks by Red Stinger in March that used the PowerMagic backdoor and CommonMagic framework. However, this was not the only attack performed by the group, and several other tools stayed hidden.
• Recent findings revealed that the attacks involved different tools and malware such as DBoxShell, SolarTools, Ntinit, Ntuser, Ngrok, Rsockstun, ListFiles, SysInfo, ListVars, InstallNewPZZ, Ld_dll_loader, and StartRevSocks.

Attack timeline

• The First Operation was performed in December 2020. The infection chain involved the use of an MSI file being downloaded from a URL and executing a VBS file that runs a .dll file.
• The Second Operation (April 2021) used a zip file named RESOLUTION No 583-НС[.]zip. The method of propagation of this file remains unknown, however, the was Luhansk themed.
• The experts have very little information regarding the Third Operation (September 2021). According to TTPs, they discovered overlapping techniques with both previous and subsequent operations.
• In the Fourth Operation (February 2022), the group used a malicious MSI file that included a PDF, a VBS, and a data file. The .vbs file runs a .dat file that includes a small loader and a DBoxShell.
• The Fifth Operation (March 2023), involves the use of malicious LNK leading to remotely hosted malicious MSI files downloaded and run by the Windows Installer executable.

Who are the victims?

• In Operation Four, military personnel and an officer in central Ukraine were targeted.
• In Operation Five, criminals targeted workers at Yasinovataya Administration and DPR administration.
• There was an advisor from the Ukrainian Central Election Commission who experienced the attack.
• Other victims were related to the transportation ministry or equivalent, along with a library in Vinnitsya.

Conclusion