Related Families: DboxShell, PowerMagic
Verticals Targeted: Defense, Critical Infrastructure, Transportation
Executive Summary
RedStinger, a relatively unknown threat actor group, targeted multiple entities in Ukraine, including those in the defense, transportation, and critical infrastructure verticals.
Key Takeaways
- RedStinger targeted multiple entities in Ukraine, including those in the defense, transportation, and critical infrastructure verticals.
- RedStinger engaged in at least five separate operations, beginning as early as 2020.
- RedStinger’s goal appears to be espionage.
RedStinger Activity
MalwareBytes recently reported on a RedStinger. RedStinger, a relatively unknown threat actor group, targeted multiple entities in Ukraine, including those in the defense, transportation, and critical infrastructure verticals.
The first operation began as early as 2020. It used an infection chain that began with an MSI file. When executed, the MSI file showed an error and executed a .vbs file that runs a dll. When the dll is executed, two files are dropped: iesync.so and iesync.vbs. The file iesync.vbs applies an XOR operation to iesync.so, resulting in a file called DBoxShell. DBoxShell is a malware that uses cloud storage services for C2.
The second op was in April 2021. It leveraged a zip file, although the delivery mechanism is unknown. The zip contained a decoy PDF and an LNK file. The LNK downloads an MSI file. The rest of the attack chain is similar to the infection chain described in operation one.
The third operation occurred in 2022 amidst the Russia-Ukraine conflict. It is more loosely attributed to RedStinger, although the TTPs used to overlap with known RedStinger TTPs.
The fourth op targeted military entities. In this operation, the threat actor used a malicious MSI file containing a PDF, a .vbs, and a .dat file. The infection chain was similar to that of previous operations. Files dropped include DboxShell and two MSI files, SolarTools.msi and Solar.msi. The MSI files contained Rsockstun and the legitimate but often abused Ngrok.exe. A file called vs_secpack.msi was used during the exfiltration phase.
The final operation targeted entities in the occupied territories and focused on elections.
Who is RedStinger?
RedStinger, also known as Bad Magic, is a relatively unknown threat actor group that targets entities in Ukraine. They have been active since at least 2020. The group seems to conduct espionage campaigns. RedStinger is known to target government, defense, agriculture, transportation, and critical infrastructure entities. The group was first publicly exposed by Kaspersky, who dubbed the group Bad Magic. TTPs include PowerMagic backdoor, CommonMagic framework, and using MSI and LNK files in the infection chain.
IOCs
PolySwarm has multiple samples associated with this activity.
C68ce59f73c3d5546d500a296922d955ccc57c82b16ce4bd245ca93de3e32366
B6491d99d7193499a320bf6ad638146193af2ced6128afe8af3666a828f1b900
D956f2bf75d2fe9bf0d7c319b22a834976f1786b09ff1bba0d2e26c771b19ca2
9a6d4ac64fa6645c58a19b8c8795a8cb586b82f6a77aaf8f06eb83ba1f1390e8
78634be886ccb3949c8e5b8f0893cff32c474a466e4d4ceba35ba05c3d373bff
9c16cf1f962bf736e3d6fb9ec3a37bb6f92c5f6cb1886d4332694ccc94735de8
C75d905cd7826182505c15d39ebe952dca5b4c80fb62b8f7283fa09d7f51c815
F405a26904d2f6aaf4ff5f24dc345a24751d13b691a0bf17ba8c94f08ebb8b5b
Bc93ef8e20f2a9a8799934d629fe494d5d82ea49e06ed8fb00ea6cc2e96f407e
82e4b4fddf5ea7b7c846d44bcc24d75edcec5726dfa5b81b9f43387a1fc1922a
You can use the following CLI command to search for all xx samples in our portal:
$ polyswarm link list -f RedStinger
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports
