CommonMagic APT uses new malware to target organizations in Russo-Ukrainian conflict zone

Most likely delivered via spear phishing attacks

Kaspersky^[1] has identified an advanced persistent threat (APT) campaign called CommonMagic that targets organizations in the Russo-Ukrainian conflict zone. This campaign has been observed attacking administrative, agriculture, and transportation entities across Donetsk, Luhansk, and Crimea.

The security team has named the cluster of activity “Bad Magic” and is tracking the campaign. The backdoor used by the group is named PowerMagic, a PowerShell-based backdoor that establishes contact with a remote server and executes arbitrary commands, the results of which are exfiltrated to cloud services like Dropbox and Microsoft OneDrive.

PowerMagic also serves as a conduit to deliver the CommonMagic framework, a set of executable modules designed to carry out specific tasks such as interacting with the command-and-control (C2) server, encrypting and decrypting C2 traffic, and executing plugins.

While the initial vector of compromise is unclear, the next stage implies spear phishing or similar methods, according to Kaspersky's technical write-up.^[2] The victims are led to a URL pointing to a ZIP archive hosted on a malicious web server. The archive contains two files: a decoy document (PDF, XLSX, or DOC) and a malicious LNK (Windows shortcut) file with a double extension (e.g., .pdf.lnk) that leads to infection when opened.

War fuels cyberattacks

The CommonMagic framework can steal files from USB devices, take screenshots every three seconds, and send them to the attacker. The framework comprises multiple modules, each of which is an executable file launched in a separate process and is able to communicate with other modules.

The use of cloud storage as the command-and-control infrastructure is noteworthy, according to Kaspersky security researcher Leonid Bezvershenko.^[3] Although the malware and techniques employed in the CommonMagic campaign are not particularly sophisticated, geopolitics always affect the cyber threat landscape and lead to the emergence of new threats.

The infection chain used by the CommonMagic campaign has been observed in multiple cases. The targets are led to a URL, which leads to a ZIP archive hosted on a malicious server. The archive contains a malicious file that deploys the PowerMagic backdoor and a benign decoy document that misleads the victim into believing that the content is legitimate.

Kaspersky has found a number of such lure archives with titles referencing various decrees of organizations relevant to the regions. Once the victim downloads the archive and clicks on the shortcut file in the archive, they become infected with the PowerMagic backdoor. The backdoor receives commands from a remote folder located on a public cloud storage service, executes the commands sent from the server, and then uploads the results of the execution back to the cloud.

Active since at least 2021

The modular frameworks' structure allows for the introduction of additional malicious activities via new malicious modules. Kaspersky has found no evidence linking the operation and its tooling to any known threat actor or group. The earliest ZIP archive attachment dates back to September 2021, indicating that the campaign may have flown under the radar for more than 1.5 years.

The CommonMagic campaign's use of cloud storage as the command-and-control infrastructure is significant. Security researchers have been tracking the activity cluster under the name “Bad Magic” and will continue their investigation.

The modular framework structure of CommonMagic allows for the introduction of additional malicious activities via new malicious modules, making it a significant threat.

Similar campaigns

Multiple threat actors have utilized a straightforward infection chain involving malicious LNK files in ZIP archives, but the malware or tactics seen in CommonMagic attacks are neither complex nor innovative.

Last month, Security Joes uncovered a new backdoor called IceBreaker,^[4] which was delivered via a malicious LNK in a ZIP archive. A similar method was used in a ChromeLoader campaign that relied on a malicious LNK to execute a batch script and extract the contents of a ZIP container for the final payload.

However, the closest approach to CommonMagic's technique is utilized by the YoroTrooper threat actor. YoroTrooper has engaged in cyber espionage by delivering phishing emails containing malicious LNK files and decoy PDF documents encased in ZIP or RAR archives.^[5]