Ukraine War: CommonMagic APT campaign expands

June 13, 2023
| No comments
Kaspersky_news

Share post

Recent Kaspersky research shows that the threat actor behind the CommonMagic campaign is expanding its malicious activities, both regionally and from a technical perspective. 

According to them, the newly discovered framework 'CloudWizard' has extended its victimology to organizations in central and western Ukraine; so far, companies in the Russian-Ukrainian war zone have been affected. In addition, Kaspersky experts were able to link the initially unknown actor to previous APT campaigns such as Operation BugDrop and Operation Groundbait (Prikormka).

Back in March this year, Kaspersky reported on a new APT campaign in the Russian-Ukrainian war zone called CommonMagic, which uses PowerMagic and CommonMagic implants for espionage purposes. The campaign has been active since September 2021 and is now using a previously unidentified malware to collect data from the targeted individuals.

Framework CloudWizard discovered for the first time

The ATP campaign that has now been discovered used a modular framework called CloudWizard. Kaspersky identified a total of nine modules within this framework, each responsible for specific malicious activities such as file harvesting, keylogging, screenshot taking, microphone recording, and password theft. One of these modules focuses on exfiltrating data from Gmail accounts. By extracting Gmail cookies from browser databases, this module can access activity logs, contact lists and all email messages associated with the target accounts.

Parallels between CloudWizard, Groundbait and BugDrop

Further analyzes by Kaspersky's security experts also show that the campaign now has an expanded distribution of victims. While the regions of Donetsk, Luhansk and Crimea have been targeted so far, individuals, diplomatic institutions and research organizations in western and central Ukraine are now also affected. Furthermore, the experts were able to identify clear matches between CloudWizard and two previously documented campaigns: Operation Groundbait and Operation BugDrop. Similarities include parallels in code, file naming and listing, hosting by Ukrainian hosting services, and common victim profiles in western and central Ukraine and in the conflict region in eastern Europe.

In addition, CloudWizard also has certain similarities with the recently discovered CommonMagic campaign. Some sections of code are identical; both use the same encryption library, follow a similar file naming format and have common target locations in the Eastern European conflict zone.

Do you have a moment?

Take a few minutes for our 2023 user survey and help make B2B-CYBER-SECURITY.de better!

You only have to answer 10 questions and you have an immediate chance to win prizes from Kaspersky, ESET and Bitdefender.

Here you go directly to the survey
 

One group - many similar attack campaigns

From this, Kaspersky experts conclude that the malicious campaigns Prikormka, Operation Groundbait, Operation BugDrop, CommonMagic and CloudWizard are traced back to the same active threat actor.

"The threat actor responsible for these attacks is consistently pursuing its cyberespionage activities, continuously improving its toolkit and targeting specific facilities of interest to it for over fifteen years," explains Georgy Kucherin, security expert at the Global Research & Analysis Team (GReAT) by Kaspersky. “Geopolitical factors continue to be a major driver of APT attacks. Given the prevailing tensions in the Russian-Ukrainian conflict zone, we expect this actor to continue operations for the foreseeable future.”

More at Kaspersky.com

 

About Kaspersky

Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/

 

Matching articles on the topic

Report: 40 percent more phishing worldwide

The current spam and phishing report from Kaspersky for 2023 speaks for itself: users in Germany are after ➡ Read more

BSI sets minimum standards for web browsers

The BSI has revised the minimum standard for web browsers for administration and published version 3.0. You can remember that ➡ Read more

Stealth malware targets European companies

Hackers are attacking many companies across Europe with stealth malware. ESET researchers have reported a dramatic increase in so-called AceCryptor attacks via ➡ Read more

IT security: Basis for LockBit 4.0 defused

Trend Micro, working with the UK's National Crime Agency (NCA), analyzed the unpublished version that was in development ➡ Read more

MDR and XDR via Google Workspace

Whether in a cafe, airport terminal or home office – employees work in many places. However, this development also brings challenges ➡ Read more

Test: Security software for endpoints and individual PCs

The latest test results from the AV-TEST laboratory show very good performance of 16 established protection solutions for Windows ➡ Read more

FBI: Internet Crime Report counts $12,5 billion in damage 

The FBI's Internet Crime Complaint Center (IC3) has released its 2023 Internet Crime Report, which includes information from over 880.000 ➡ Read more

HeadCrab 2.0 discovered

The HeadCrab campaign against Redis servers, which has been active since 2021, continues to successfully infect targets with the new version. The criminals' mini-blog ➡ Read more

Short news
, , , , ,