Recent Kaspersky research shows that the threat actor behind the CommonMagic campaign is expanding its malicious activities, both regionally and from a technical perspective.
According to them, the newly discovered framework 'CloudWizard' has extended its victimology to organizations in central and western Ukraine; so far, companies in the Russian-Ukrainian war zone have been affected. In addition, Kaspersky experts were able to link the initially unknown actor to previous APT campaigns such as Operation BugDrop and Operation Groundbait (Prikormka).
Back in March this year, Kaspersky reported on a new APT campaign in the Russian-Ukrainian war zone called CommonMagic, which uses PowerMagic and CommonMagic implants for espionage purposes. The campaign has been active since September 2021 and is now using a previously unidentified malware to collect data from the targeted individuals.
Framework CloudWizard discovered for the first time
The ATP campaign that has now been discovered used a modular framework called CloudWizard. Kaspersky identified a total of nine modules within this framework, each responsible for specific malicious activities such as file harvesting, keylogging, screenshot taking, microphone recording, and password theft. One of these modules focuses on exfiltrating data from Gmail accounts. By extracting Gmail cookies from browser databases, this module can access activity logs, contact lists and all email messages associated with the target accounts.
Parallels between CloudWizard, Groundbait and BugDrop
Further analyzes by Kaspersky's security experts also show that the campaign now has an expanded distribution of victims. While the regions of Donetsk, Luhansk and Crimea have been targeted so far, individuals, diplomatic institutions and research organizations in western and central Ukraine are now also affected. Furthermore, the experts were able to identify clear matches between CloudWizard and two previously documented campaigns: Operation Groundbait and Operation BugDrop. Similarities include parallels in code, file naming and listing, hosting by Ukrainian hosting services, and common victim profiles in western and central Ukraine and in the conflict region in eastern Europe.
In addition, CloudWizard also has certain similarities with the recently discovered CommonMagic campaign. Some sections of code are identical; both use the same encryption library, follow a similar file naming format and have common target locations in the Eastern European conflict zone.
Do you have a moment?
Take a few minutes for our 2023 user survey and help make B2B-CYBER-SECURITY.de better!You only have to answer 10 questions and you have an immediate chance to win prizes from Kaspersky, ESET and Bitdefender.
Here you go directly to the survey
One group - many similar attack campaigns
From this, Kaspersky experts conclude that the malicious campaigns Prikormka, Operation Groundbait, Operation BugDrop, CommonMagic and CloudWizard are traced back to the same active threat actor.
"The threat actor responsible for these attacks is consistently pursuing its cyberespionage activities, continuously improving its toolkit and targeting specific facilities of interest to it for over fifteen years," explains Georgy Kucherin, security expert at the Global Research & Analysis Team (GReAT) by Kaspersky. “Geopolitical factors continue to be a major driver of APT attacks. Given the prevailing tensions in the Russian-Ukrainian conflict zone, we expect this actor to continue operations for the foreseeable future.”
More at Kaspersky.com
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/