"New APT Group Red Stinger Targets Military and Critical Infrastructure in Eastern Europe"
An Advanced Persistent Threat (APT) actor called Red Stinger has been targeting Eastern Europe. Malwarebytes disclosed that the APT's targets included military, transportation, and critical infrastructure entities, as well as those involved in the September East Ukraine referendums. The attackers have been able to exfiltrate snapshots, USB drives, keyboard strokes, and microphone recordings, depending on the campaign. Red Stinger overlaps with a threat cluster known as Bad Magic that targeted Donetsk, Lugansk, and Crimea-based government, agriculture, and transportation organizations in April. Although there were signs that the APT group may have been active since at least September 2021, the most recent findings from Malwarebytes put the group's first operation in December 2020. Throughout the years, the attack chain has used malicious installer files to install the DBoxShell, also known as PowerMagic, implant on compromised systems. The MSI file is downloaded using a Windows shortcut file that is contained within a ZIP archive. It has been observed that subsequent waves detected in April and September 2021 use similar attack sequences, with slight variations in the MSI file names. According to security researchers, DBoxShell is malware that uses cloud storage services as a command-and-control (C2) mechanism. This article continues to discuss researchers' findings regarding the Red Stinger APT group.