In October 2022, Kaspersky researchers discovered an ongoing advanced persistent threat (APT) campaign targeting organizations located in the area affected by the ongoing conflict between Russia and Ukraine. Dubbed CommonMagic, this espionage campaign has been active since at least September 2021, and uses a previously unknown malware to gather data from its targets. The targets include administration, agriculture and transportation organizations located in the Donetsk, Luhansk, and Crimea regions.
Attacks are executed using a PowerShell-based backdoor dubbed PowerMagic and a new malicious framework named CommonMagic. The latter is capable of stealing files from USB devices, gathering data and sending it over to the attacker. However, its potential is not limited to these two functions, as the modular frameworks’ structure allows introduction of additional malicious activities via new malicious modules.
The attacks most likely began with spearphishing or similar methods as suggested by the next steps in the infection chain. The targets were led to a URL, which in turn led to a ZIP archive hosted on a malicious server. The archive contained a malicious file that deployed the PowerMagic backdoor and a benign decoy document that was intended to mislead the victims into believing that the content was legitimate. Kaspersky discovered a number of such lure archives with titles referencing various decrees of organizations relevant to the regions.
Decoy Word document (topic: Results of the State Duma elections in the Republic of Crimea)
Once the victim downloads the archive, and clicks on the shortcut file in the archive, they get infected with PowerMagic backdoor. The backdoor receives commands from a remote folder located on a public cloud storage service, executes the commands sent from the server and then uploads the results of the execution back to the cloud. PowerMagic also sets itself up in the system to be launched persistently on startup of the infected device.
All PowerMagic targets witnessed by Kaspersky were also infected with a modular framework we dubbed CommonMagic. This points to CommonMagic likely being deployed by PowerMagic, although it is not clear from the available data how the infection takes place.
The CommonMagic framework consists of multiple modules. Each framework module is an executable file launched in a separate process, with modules being able to communicate between each other.
The framework is capable of stealing files from USB devices, as well as taking screenshots every three seconds and sending them to the attacker.
CommonMagic framework infection chain
At the time of writing, no direct links exist between the code and data used in this campaign and any previously known ones. However, as the campaign is still active and investigation is still in progress, it is possible further research will reveal additional information that could aid in attributing this campaign to a specific threat actor. The limited victimology and the topic of the lures suggest that the attackers likely have a specific interest in the geopolitical situation in the region of the crisis.
“Geopolitics always affect the cyber threat landscape and lead to the emergence of new threats. We have been monitoring activity connected to the conflict between Russia and Ukraine for a while now, and this is one of our latest discoveries. Although the malware and techniques employed in the CommonMagic campaign are not particularly sophisticated, the use of cloud storage as the command-and-control infrastructure is noteworthy. We will continue our investigation and hopefully will be able to share more insights into this campaign,” comments Leonid Bezvershenko, security researcher at Kaspersky’s Global Research and Analysis Team (GReAT).
Read the full report about the CommonMagic campaign on Securelist.
In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:
- Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky spanning over 20 years.
- Upskill your cybersecurity team to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts
- For endpoint level detection, investigation, and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response
- In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform
- As many targeted attacks start with phishing or other social engineering techniques, introduce security awareness training and teach practical skills to your team – for example, through the Kaspersky Automated Security Awareness Platform