{"id":444,"date":"2023-05-31T22:47:24","date_gmt":"2023-05-31T22:47:24","guid":{"rendered":"https:\/\/blog.scilabs.mx\/en\/?p=444"},"modified":"2023-05-31T22:47:24","modified_gmt":"2023-05-31T22:47:24","slug":"cyber-threat-profile-red-winterdog","status":"publish","type":"post","link":"https:\/\/blog.scilabs.mx\/en\/2023\/05\/31\/cyber-threat-profile-red-winterdog\/","title":{"rendered":"Cyber Threat Profile Red WinterDog"},"content":{"rendered":"

\"\"<\/p>\n

Overview<\/strong><\/h3>\n

The following post describes the modus operandi analysis of a threat actor named Red WinterDog<\/em> by SCILabs as, which operates the BlackDog<\/em> <\/a>and BlackBelen<\/em> <\/a>malware families.<\/p>\n

Red WinterDog<\/em> targets users of all types in Mexico, including employees of organizations intending to steal victims’ banking and personal information, and business email accounts, using web browser malicious extensions designed primarily for Google Chrome and Edge. The initial access vectors are mainly malvertising campaigns in search engines such as DuckDuck Go and Bing, in addition to possible phishing campaigns, impersonating governmental organizations in Mexico such as the Registro Nacional de Poblaci\u00f3n<\/em> (RENAPO) and the Servicio de Administraci\u00f3n Tributaria<\/em> (SAT).<\/p>\n

Our research shows that Red WinterDog<\/em> has been operating predominantly in Mexico since June 2022, making constant updates to its TTPs to evade security solutions or hinder analysis by cyber threat researchers. SCILabs detected the last activity of this adversary during May 2023.<\/p>\n

Geographical region of operation<\/strong><\/h3>\n

As a result of the open-source intelligence process and the analysis of the malicious artifacts used by this threat group, SCILabs determined with a high level of confidence that the primary country of operation is Mexico.<\/p>\n

\"\"<\/p>\n

Figure 1. Red WinterDog<\/em> activity map<\/p>\n

Based on our research, we present a timeline of Red WinterDog’s<\/em> most relevant activities from June 2022 to January 2023.<\/p>\n

\"\"<\/p>\n

Figure 2. Timelne of Red WinterDog<\/em> campaigns<\/p>\n

About the victims<\/strong><\/h3>\n

During constant monitoring of the region, SCILabs identified that Red WinterDog’s <\/em>main target is end users in Mexico; however, malvertising campaigns can affect the reputation of some government institutions and financial entities due to the adversary’s brand impersonation.<\/p>\n

Threat group’s operating model<\/strong><\/h3>\n

Red WinterDog<\/em> distributes its malware using malvertising campaigns on search engines such as DuckDuck Go and Bing, as well as possible phishing campaigns impersonating government institutions in Mexico. Based on a trends analysis conducted through open sources, we observed that the words CURP and SAT are two of the most searched words by users in Mexico, along with other words such as CFE or \u201cPasaporte\u201d.\u00a0 It is likely that adversaries also perform this type of analysis to determine which organizations they are going to impersonate in their malicious advertising campaigns and thus reach the largest number of potential victims.<\/p>\n

\"\"<\/p>\n

Figure 3. Comparative of different search parameters in Mexico (Google Trends<\/a>)<\/p>\n

Malware families operated by Red WinterDog<\/em><\/h3>\n

BlackDog<\/em> and BlackBelen<\/em> are the two trojans operated by the threat actor and they have particular characteristics, which are described in general terms below:<\/p>\n

BlackDog:<\/h4>\n