Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

RingSpy (Backdoor) – Malware

June 10, 2024
Reading Time: 4 mins read
in Malware
RingSpy (Backdoor) – Malware

RingSpy

Type of Malware

Backdoor

Country of Origin

Ukraine (Uncertain)

Date of initial activity

2024

Targeted Countries

Russia
Belarus

Associated Groups

Mysterious Warewolf

Motivation

Cyberwarfare
Data Theft

Attack Vectors

Phishing
Software Vulnerabilities

Targeted Systems

Windows

Type of information Stolen

Browser Data
Communication Data
Corporate Data
Login credentials
Personal Identifiable Information (PII)
System Information

Tools

Python Backdoor: The primary tool in the RingSpy malware arsenal is a custom Python-based backdoor. This backdoor allows adversaries to remotely execute commands, obtain results, and interact with compromised systems. It is designed to be stealthy and flexible, supporting various functionalities for data exfiltration and system manipulation.


Telegram Bot: RingSpy relies on a Telegram bot for command-and-control (C2) communications. This bot facilitates the sending and receiving of commands and data between the attacker and the compromised system. Telegram's platform is used to issue commands, receive outputs, and manage the backdoor's operations.


Yandex Cloud API: The malware uses Yandex Cloud API to download additional payloads and tools. This includes downloading the Python interpreter and other necessary files from cloud storage, ensuring that the malware remains up-to-date and functional.


Scheduled Tasks: RingSpy creates scheduled tasks to ensure persistence on the compromised system. This is achieved using the schtasks command to run a Python script (python.vbs) at regular intervals, maintaining the backdoor's operation even after system reboots.

Overview

RingSpy is a sophisticated piece of malware that has emerged as a notable threat in the cybersecurity landscape, particularly in its use as a remote access backdoor. Discovered in early 2024, RingSpy represents an evolution in the tactics of advanced threat actors, combining traditional exploitation methods with innovative techniques to achieve its malicious objectives. This malware is primarily designed to provide attackers with persistent access to compromised systems, enabling them to execute commands, exfiltrate data, and maintain control over targeted networks.

Targets

RingSpy primarily targets organizations within the defense industry, as well as critical infrastructure sectors. This includes entities involved in national security, military operations, and strategic defense projects. The malware’s focus on these high-value targets suggests an intention to access sensitive and classified information that could be exploited for espionage or sabotage.

How they operate

The initial access phase of RingSpy begins with a phishing email, which contains a seemingly legitimate archive. This archive includes a PDF document and a malicious CMD file. Upon extraction and execution of the CMD file, the malware activates a series of scripts to deliver and install the RingSpy backdoor. The malware employs a combination of VBS and BAT scripts to ensure the backdoor is installed and operational. It creates a hidden Python environment within the victim’s system, using this environment to run the RingSpy backdoor, which is responsible for command execution and data exfiltration. Persistence is a key component of RingSpy’s strategy. The malware sets up a scheduled task that repeatedly executes a VBS script every minute, ensuring that the RingSpy backdoor remains active even after system reboots. This task is configured to run a Python script, which is used to interact with the command-and-control (C2) server. RingSpy’s use of Telegram’s API for C2 communications is particularly notable. The malware sends commands and receives data through Telegram, leveraging its API for data exfiltration and command execution. This method of communication helps the malware evade traditional detection mechanisms that might flag more conventional C2 channels. The RingSpy backdoor is designed to perform a variety of functions once installed. It can execute remote commands, download and upload files, and gather information from the compromised system. The malware is also capable of staging and exfiltrating data, preparing collected information for transfer to the attackers. The backdoor’s Python script facilitates these operations, ensuring that data is continuously sent to the Telegram-based C2 server. RingSpy’s use of legitimate tools and services, such as Telegram for C2 and Python for executing scripts, makes it a particularly challenging threat to detect and mitigate. Its reliance on phishing to gain initial access and its sophisticated methods for maintaining persistence and evading detection highlight the evolving nature of cyber threats. Organizations, especially those in sensitive sectors like defense, must be vigilant and implement robust security measures to defend against such advanced malware campaigns.

MITRE Tactics and Techniques

Initial Access: Phishing (T1566): RingSpy is delivered through phishing emails that contain a malicious archive. The emails often appear to be legitimate, encouraging recipients to open the archive, which contains both a PDF and a CMD file. Execution: Command and Scripting Interpreter (T1059): RingSpy uses various scripts, including CMD and VBS, to execute its payload and perform actions on the compromised system. This includes running the Python backdoor and other related commands. Persistence: Scheduled Task/Job (T1053): RingSpy establishes persistence by creating a scheduled task to execute a Python script (python.vbs) at regular intervals. This ensures the backdoor remains active even after system reboots. Privilege Escalation: Valid Accounts (T1078): Although not directly mentioned, RingSpy’s use of legitimate tools and techniques for executing commands and maintaining persistence implies the use of valid accounts for higher privileges. Defense Evasion: Obfuscated Files or Information (T1027): The malware uses various methods to obfuscate its operations, including the use of encoded commands and hiding its presence with legitimate services. File and Directory Discovery (T1083): RingSpy employs scripts to check for specific files and directories to determine its operation and prevent reinstallation. Credential Access: Credential Dumping (T1003): The malware does not directly dump credentials but may be involved in activities that could lead to credential access through its backdoor functionalities. Discovery: System Information Discovery (T1082): RingSpy may collect information about the system to tailor its actions and interactions based on the environment. Command and Control: Application Layer Protocol (T1071): RingSpy uses Telegram’s API for C2 communications, sending and receiving commands and exfiltrated data. Exfiltration Over Command and Control Channel (T1041): Data is exfiltrated to the C2 server via Telegram messages and files. Exfiltration: Exfiltration Over Command and Control Channel (T1041): RingSpy sends collected data and command outputs to the C2 server through Telegram, allowing attackers to retrieve sensitive information from the compromised system. Impact: Data Staged (T1074): The malware stages data by collecting and preparing it for exfiltration, ensuring that valuable information is available for the attackers.
References
  • Mysterious Werewolf hits defense industry with new RingSpy backdoor
Tags: APIBackdoorInfrastructureMalwarePhishingTelegram
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

New ZeroCrumb Malware Steals Browser Cookies

TikTok Videos Spread Vidar StealC Malware

CISA Commvault ZeroDay Flaw Risks Secrets

GitLab Patch Stops Service Disruption Risks

3AM Ransomware Email Bomb and Vishing Threat

Function Confusion Hits Serverless Clouds

Subscribe to our newsletter

    Latest Incidents

    Cetus Crypto Exchange Hacked For $223M

    MCP Data Breach Hits 235K NC Lab Patients

    UFCW Data Breach Risks Social Security Data

    Cyberattack Paralyzes French Hauts de Seine

    Santa Fe City Loses $324K In Hacker Scam

    Belgium Housing Hit by Ransomware Attack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial