A new cyber-espionage group dubbed “Red Stinger” has been been spying on both pro-Ukraine targets in central Ukraine and pro-Russia targets in the regions of Donetsk and Luhansk in eastern Ukraine that have been occupied by Russia since 2014, a new report from Malwarebytes reveals.
First spotted by the cybersecurity firm in September 2022, the group has been active since at least 2020 targeting entities in different regions of Ukraine, including military, transportation and critical infrastructure sectors.
Depending on the campaign, attackers managed to exfiltrate snapshots, USB drives, keyboard strokes, and microphone recordings.
In a February 2022 campaign the threat actor compromised a device belonging to a Ukrainian officer who works on Ukrainian critical infrastructure and exfiltrated screenshots and documents, and even recorded audio from the microphone.
The attack involved a phishing email with a malicious attachment that downloaded a variant of DBoxShell malware on the victim’s device.
“DBoxShell is malware that utilizes cloud storage services as a command and control (C&C) mechanism. This stage serves as an entry point for the attackers, enabling them to assess whether the targets are interesting or not, meaning that in this phase they will use different tools,” Malwarebytes explained.
The attackers used two separate Dropbox accounts - one account for reconnaissance and a different one for data exfiltration.
“The object field was also revealing. It contained a Russian name (redacted for privacy) followed by the DNR letters (probably Donetskaya Narodnaya Respublika, referring to one of the cities declared independent in 2014, and a known target to the group),” the researchers note.
Red Stinger also targeted a member of Ukraine’s military, although in this case the activity on the target was only carried out for a few hours, probably because the victim noticed that something was wrong.
During a September 2022 campaign the group targeted multiple election officials running Russian referendums in disputed cities in Ukraine -Luhansk, Donetsk, Zaporizhzhia and Kherson. One target was an adviser to Russia's Central Election Commission, and another works on transportation—possibly railroad infrastructure—in the region.
Interestingly, a library in the city of Vinnitsya was also infected, although it’s unclear why it had been attacked, especially since it was the only UA-aligned target in this campaign.
The researchers said that Red Stinger uses its own hacking tools and reuses characteristic scripts and infrastructure, including specific malicious URL generators and IP addresses. The researchers were able to get a glimpse of the group's operations after discovering two victims (possibly the members of Red Stinger) who appear to have infected themselves with Red Stinger malware while testing it or by mistake.
“In this case, attributing the attack to a specific country is not an easy task. Any of the involved countries or aligned groups could be responsible, as some victims were aligned with Russia, and others were aligned with Ukraine,” Malwarebytes said.
“What is clear is that the principal motive of the attack was surveillance and data gathering. The attackers used different layers of protection, had an extensive toolset for their victims, and the attack was clearly targeted at specific entities. Perhaps in the future, further events or additional activity from the group can shed light on the matter.”
