Security experts have revealed that a new backdoor dubbed PowerMagic and “a previously unseen malicious framework” named CommonMagic were employed in cyberattacks by an advanced threat actor. Both malware variants have been employed in ongoing operations targeting businesses in the transportation, agricultural, and administrative sectors since at least September 2021.
Researchers at the cybersecurity firm Kaspersky claim that the hackers are motivated by a desire to gather information from victims in Crimea, Donetsk, and Lugansk. The attackers behind the CommonMagic espionage operation can use other plugins once they have gained access to the target network to steal files and documents (DOC, DOCX, PDF, XLS, XLSX, ODS, ODT, ZIP, RTF, RAR, TXT) from USB devices.
The malware may also exploit the Windows Graphics Device Interface (GDI) API to snap screenshots every three seconds. The researchers think spear phishing or a similar technique to transmit a URL referring to a ZIP package with a malicious LNK file is the first infection vector. The target user was diverted from the harmful activity that began in the background when the LNK file disguised as a PDF was launched by a dummy document (PDF, XLSX, or DOCX) in the archive.
According to Kaspersky, executing the malicious LNK would cause the system to get infected with a backdoor based on PowerShell that was previously unknown. The researcher termed the backdoor PowerMagic after a string in the malware code. Using OneDrive and Dropbox files, the backdoor talks with the command and control (C2) server to obtain instructions and submit the results. The targets were then infected with CommonMagic, a group of malicious tools that the researchers had never encountered before these attacks, after becoming infected with PowerMagic.
Several modules in the CommonMagic framework are independent executables that interact with one another via named pipes. Kaspersky’s study disclosed that the hackers developed specialized modules for a variety of activities, including communicating with the C2, encrypting and decrypting communications from the command server, stealing files, and capturing pictures. The files are encrypted using the RC5Simple open-source library with a modified sequence – Hwo7X8p – at the beginning of the encryption when they are exchanged with the C2 through a OneDrive folder.
The malware used in CommonMagic attacks is not sophisticated or creative. Malicious LNK files included in ZIP packages have been linked to an infection chain with many threat actors. Security Joes, a company that responds to incidents, said last month that it had found a brand-new backdoor named IceBreaker that was sent through a malicious LNK in a ZIP package. A ChromeLoader campaign that used a malicious LNK to run a batch script and extract the contents of a ZIP container to get the final payload used a similar technique.
However, the threat actor known as YoroTrooper, who used phishing emails to distribute malicious LNK files and fake PDF documents enclosed in a ZIP or RAR package, is the one whose method is most similar to CommonMagic’s. However, Kaspersky claims that CommonMagic’s solution worked despite the unconventional approach. Researchers identified a few strikes from this threat actor as far back as September 2021 and found an active infection in October of last year.
Security researcher Leonid Besverzhenko of Kaspersky’s Global Research and Analysis Team said that several cyberattacks employed the CommonMagic framework and the PowerMagic backdoor. Besverzhenko claims that despite CommonMagic activity appearing to have started in 2021, the opponent increased their efforts last year and is still active today.
The hackers were able to make a connection to other campaigns at this time difficult by combining crude methods that have been employed by several actors with their own harmful code. According to a spokesperson from Kaspersky, “the limited victimology and Russian-Ukrainian conflict-themed lures suggest that the attackers likely have a specific interest in the geopolitical situation in that region.”