RingSpy (Backdoor) – Malware

Overview

RingSpy is a sophisticated piece of malware that has emerged as a notable threat in the cybersecurity landscape, particularly in its use as a remote access backdoor. Discovered in early 2024, RingSpy represents an evolution in the tactics of advanced threat actors, combining traditional exploitation methods with innovative techniques to achieve its malicious objectives. This malware is primarily designed to provide attackers with persistent access to compromised systems, enabling them to execute commands, exfiltrate data, and maintain control over targeted networks.

Targets

RingSpy primarily targets organizations within the defense industry, as well as critical infrastructure sectors. This includes entities involved in national security, military operations, and strategic defense projects. The malware’s focus on these high-value targets suggests an intention to access sensitive and classified information that could be exploited for espionage or sabotage.

How they operate

The initial access phase of RingSpy begins with a phishing email, which contains a seemingly legitimate archive. This archive includes a PDF document and a malicious CMD file. Upon extraction and execution of the CMD file, the malware activates a series of scripts to deliver and install the RingSpy backdoor. The malware employs a combination of VBS and BAT scripts to ensure the backdoor is installed and operational. It creates a hidden Python environment within the victim’s system, using this environment to run the RingSpy backdoor, which is responsible for command execution and data exfiltration.

Persistence is a key component of RingSpy’s strategy. The malware sets up a scheduled task that repeatedly executes a VBS script every minute, ensuring that the RingSpy backdoor remains active even after system reboots. This task is configured to run a Python script, which is used to interact with the command-and-control (C2) server. RingSpy’s use of Telegram’s API for C2 communications is particularly notable. The malware sends commands and receives data through Telegram, leveraging its API for data exfiltration and command execution. This method of communication helps the malware evade traditional detection mechanisms that might flag more conventional C2 channels.

The RingSpy backdoor is designed to perform a variety of functions once installed. It can execute remote commands, download and upload files, and gather information from the compromised system. The malware is also capable of staging and exfiltrating data, preparing collected information for transfer to the attackers. The backdoor’s Python script facilitates these operations, ensuring that data is continuously sent to the Telegram-based C2 server.

RingSpy’s use of legitimate tools and services, such as Telegram for C2 and Python for executing scripts, makes it a particularly challenging threat to detect and mitigate. Its reliance on phishing to gain initial access and its sophisticated methods for maintaining persistence and evading detection highlight the evolving nature of cyber threats. Organizations, especially those in sensitive sectors like defense, must be vigilant and implement robust security measures to defend against such advanced malware campaigns.

MITRE Tactics and Techniques

Initial Access:

Phishing (T1566): RingSpy is delivered through phishing emails that contain a malicious archive. The emails often appear to be legitimate, encouraging recipients to open the archive, which contains both a PDF and a CMD file.

Execution:

Command and Scripting Interpreter (T1059): RingSpy uses various scripts, including CMD and VBS, to execute its payload and perform actions on the compromised system. This includes running the Python backdoor and other related commands.

Persistence:

Scheduled Task/Job (T1053): RingSpy establishes persistence by creating a scheduled task to execute a Python script (python.vbs) at regular intervals. This ensures the backdoor remains active even after system reboots.

Privilege Escalation:

Valid Accounts (T1078): Although not directly mentioned, RingSpy’s use of legitimate tools and techniques for executing commands and maintaining persistence implies the use of valid accounts for higher privileges.

Defense Evasion:

Obfuscated Files or Information (T1027): The malware uses various methods to obfuscate its operations, including the use of encoded commands and hiding its presence with legitimate services.
File and Directory Discovery (T1083): RingSpy employs scripts to check for specific files and directories to determine its operation and prevent reinstallation.

Credential Access:

Credential Dumping (T1003): The malware does not directly dump credentials but may be involved in activities that could lead to credential access through its backdoor functionalities.

Discovery:

System Information Discovery (T1082): RingSpy may collect information about the system to tailor its actions and interactions based on the environment.

Command and Control:

Application Layer Protocol (T1071): RingSpy uses Telegram’s API for C2 communications, sending and receiving commands and exfiltrated data.
Exfiltration Over Command and Control Channel (T1041): Data is exfiltrated to the C2 server via Telegram messages and files.

Exfiltration:

Exfiltration Over Command and Control Channel (T1041): RingSpy sends collected data and command outputs to the C2 server through Telegram, allowing attackers to retrieve sensitive information from the compromised system.

Impact:

Data Staged (T1074): The malware stages data by collecting and preparing it for exfiltration, ensuring that valuable information is available for the attackers.

References

• Mysterious Werewolf hits defense industry with new RingSpy backdoor