Contents:
A new backdoor dubbed PowerMagic and “a previously unseen malicious framework” named CommonMagic were utilized in assaults by an advanced threat actor, according to security researchers.
Both malware pieces have been used since at least September 2021 in operations that target organizations in the administrative, transportation, and agricultural sectors for espionage purposes.
Dissecting the New Malware
According to researchers, the threat actors are interested in collecting data mainly from victims based in Donetsk, Lugansk, and Crimea.
After gaining access to the victim’s network, the threat actors behind the CommonMagic cyberespionage campaign can use plugins to steal DOC, DOCX, XLS, XLSX, RTF, ODT, ODS, ZIP, RAR, TXT, and PDF files from USB devices. The malware can also be used to take screenshots every three seconds using the Windows Graphics Device Interface (GDI) API.
Researchers think that the first infection vector is spear phishing or a similar technique to transmit a URL referring to a ZIP archive with a malicious LNK file. The target user was diverted from the harmful activity that began in the background when the LNK file disguised as a PDF was launched by a dummy document (PDF, XLSX, or DOCX) in the archive.
Activating the malicious LNK leads to infecting the system with a PowerShell-based backdoor previously unknown by researchers, which dubbed it PowerMagic, after a string in the malware code.
Using OneDrive and Dropbox folders, the backdoor communicates with the command and control (C2) server to obtain instructions and upload the results.
Following the infection with PowerMagic, the targets were infected with CommonMagic, which is a collection of malicious tools never seen before these attacks.
The Frameworks Have Been Used Since 2021
Neither the malware nor the methods seen in CommonMagic attacks are complex nor innovative. Similar methods have been observed by security researchers in the IceBreaker backdoor and in ChromeLoader campaigns.
The closest resemblance to CommonMagic’s techniques have been seen applied by the Cisco Talos tracked threat actor YoroTrooper, who used phishing emails to distribute malicious LNK files and fake PDF documents enclosed in a ZIP or RAR package.
Researchers tracked evidence of both PowerMagic and CommonMagic activity dating back to September 2021. Since then, the frameworks have been used in dozens of attacks.
According to BleepingComputer, the limited victimology and Russian-Ukrainian conflict-themed lures suggest that the attackers have a specific interest in the geopolitical situation in that region.
The frameworks continue to be actively used by threat actors today.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.