In October 2022, Kaspersky researchers discovered an ongoing advanced persistent threat (APT) campaign targeting organisations located in the area affected by the ongoing conflict between Russia and Ukraine. Dubbed CommonMagic, this espionage campaign has been active since at least September 2021, and uses a previously unknown malware to gather data from its targets. The targets include administration, agriculture and transportation organisations located in the Donetsk, Luhansk, and Crimea regions.
Attacks are executed using a PowerShell-based backdoor dubbed PowerMagic and a new malicious framework named CommonMagic. The latter is capable of stealing files from USB devices, gathering data and sending it over to the attacker. However, its potential is not limited to these two functions, as the modular frameworks’ structure allows introduction of additional malicious activities via new malicious modules.
The attacks most likely began with spearphishing or similar methods as suggested by the next steps in the infection chain. The targets were led to a URL, which in turn led to a ZIP archive hosted on a malicious server. The archive contained a malicious file that deployed the PowerMagic backdoor and a benign decoy document that was intended to mislead the victims into believing that the content was legitimate. Kaspersky discovered a number of such lure archives with titles referencing various decrees of organisations relevant to the regions.
Once the victim downloads the archive, and clicks on the shortcut file in the archive, they get infected with PowerMagic backdoor. The backdoor receives commands from a remote folder located on a public cloud storage service, executes the commands sent from the server and then uploads the results of the execution back to the cloud. PowerMagic also sets itself up in the system to be launched persistently on startup of the infected device.
All PowerMagic targets witnessed by Kaspersky were also infected with a modular framework we dubbed CommonMagic. This points to CommonMagic likely being deployed by PowerMagic, although it is not clear from the available data how the infection takes place.
The CommonMagic framework consists of multiple modules. Each framework module is an executable file launched in a separate process, with modules being able to communicate between each other. The framework is capable of stealing files from USB devices, as well as taking screenshots every three seconds and sending them to the attacker.
At the time of writing, no direct links exist between the code and data used in this campaign and any previously known ones. However, as the campaign is still active and investigation is still in progress, it is possible further research will reveal additional information that could aid in attributing this campaign to a specific threat actor. The limited victimology and the topic of the lures suggest that the attackers likely have a specific interest in the geopolitical situation in the region of the crisis.
“Geopolitics always affect the cyber threat landscape and lead to the emergence of new threats. We have been monitoring activity connected to the conflict between Russia and Ukraine for a while now, and this is one of our latest discoveries. Although the malware and techniques employed in the CommonMagic campaign are not particularly sophisticated, the use of cloud storage as the command-and-control infrastructure is noteworthy. We will continue our investigation and hopefully will be able to share more insights into this campaign,” comments Leonid Bezvershenko, security researcher at Kaspersky’s Global Research and Analysis Team (GReAT).