A previously unknown malware in an APT campaign steals data from administrative, agricultural and transport companies in Donetsk, Luhansk and Crimea regions. The new backdoor PowerMagic and the modular framework CommonMagic are used.
In October 2022, Kaspersky researchers discovered an ongoing Advanced Persistent Threat (APT) campaign targeting organizations in the Russian-Ukrainian war zone. Dubbed 'CommonMagic' by Kaspersky, the espionage campaign has been active since at least September 2021 and uses a previously unknown malware to gather data from its targets. The targets include administrative, agricultural and transport companies in the Donetsk, Luhansk and Crimea regions.
Backdoor PowerMagic attacks
The APT attacks are executed using a PowerShell-based backdoor called 'PowerMagic' and the new malicious framework 'CommonMagic'. The latter makes it possible to steal files from USB devices, collect data and forward them to the attacker. Additionally, the modular structure of the framework allows adding malicious activities via new malicious modules.
The attack was probably initially carried out using spear phishing or similar methods. Targeted individuals were directed to a URL, which in turn led to a ZIP archive hosted on a malicious server. This archive contained both a malicious file that provided the PowerMagic backdoor and a harmless deceptive document designed to trick those affected into believing the content was legitimate. Kaspersky experts discovered a number of such decoy archives with titles referring to various decrees of organizations relevant in the region.
Spear phishing initiated actions
Once a user downloads the archive and clicks the link file in the archive, it is infected with the PowerMagic backdoor. The backdoor receives commands from a remote folder on a public cloud storage service, executes the commands sent from the server, and then uploads the execution results back to the cloud. In addition, PowerMagic embeds itself in the system in such a way that it is launched every time the infected device starts up.
At this time, no direct correlation can be established between the code used in this campaign and data from previously known cases. However, the campaign is still active and analysis is ongoing. Given the limited victimology and thematic lures, it is plausible that the attackers have a particular interest in the geopolitical situation in the conflict region.
More at Kaspersky.com
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/