HQ/EMEAFind out how we can help your business
Researchers revealed that the advanced persistent threat group Red Stinger APT had already targeted the Eastern Ukraine organisations for several years. Based on reports, the Red Stinger campaign has also been conducting attacks under Bad Magic. The group executed obfuscated attacks that infected different Ukrainian sectors.
The recent report about the attacks has been the same campaign that started in 2020 and remained undetected until 2022. The primary targets of the campaign are the Ukrainian military, transportation, and critical sectors.
Researchers investigated one of the attacks earlier this year and discovered that the group used the PowerMagic and CommonMagic frameworks. Unfortunately, there are other attacks that the actors performed but remain hidden until this day.
The group used several tools and malware strains to perform their activities. The verified tools and malware strains are Ntinit, Ntuser, ListFiles, SysInfo, Ngrok, InstallNewPZZ, Ld_dll_loader, DBoxShell, SolarTools, ListVars, and StartRevSocks.
The Red Stinger APT executed its first Ukrainian attack a few years ago.
Investigations showed that the first operation of the Red Stinger APT group occurred in December 2020. The infection chain includes leveraging an MSI archive downloaded from a URL to execute a VBS file that runs a DLL file.
On the other hand, the latest operation of the group involves the use of a compromised LNK file that results in the downloading of malicious MSI files and functions by the Windows Installer executable.
Some of the group’s operation has targeted military personnel and an officer in Central Ukraine. In addition, an advisor from the Ukrainian Central Election Commission also experienced an attack. Furthermore, other victims of the group relate to the transportation ministry.
The Red Stinger APT group has utilised various malware strains to remain undetected since 2020 and continues attacking several Ukrainian private and government entities. Furthermore, the group has successfully operated numerous operations, which makes it challenging for organisations to spot and obstruct their attacks.
The companies can only rely on provided IOCs about their campaign to remain protected from such threats.
