The advanced persistent threat (APT) known as CommonMagic has been observed targeting administrative organizations in the Russo-Ukrainian conflict zone.
According to an advisory published by Kaspersky earlier today, CommonMagic has been active since at least September 2021, with the group attacking administrative, agriculture and transportation entities across Donetsk, Luhansk and Crimea.
“Although the initial vector of compromise is unclear, the details of the next stage imply the use of spear phishing or similar methods,” reads the technical write-up. “The victims navigated to a URL pointing to a ZIP archive hosted on a malicious web server. The archive, in turn, contained two files.”
The first of these files was a decoy document (either a PDF, XLSX or DOC file), while the second was a malicious LNK (Windows shortcut) file with a double extension (e.g., .pdf.lnk) that led to infection when opened.
Read more on shortcut files here: Are We Losing the War Against Ransomware?
Kaspersky explained that the threat actor executed attacks using a PowerShell-based backdoor called PowerMagic and a new malicious framework called CommonMagic after the group’s name.
“The backdoor receives commands from a remote folder located on a public cloud storage service, executes the commands sent from the server and then uploads the results of the execution back to the cloud,” Kaspersky wrote. “PowerMagic also sets itself up in the system to be launched persistently on startup of the infected device.”
As for CommonMagic, the security researchers explained the framework comprises multiple modules. Each of them is an executable file launched in a separate process, with modules able to communicate.
“The framework is capable of stealing files from USB devices, as well as taking screenshots every three seconds, and sending them to the attacker,” reads the advisory.
Commenting on the findings, Kaspersky security researcher Leonid Bezvershenko said that while the malware and techniques used in the CommonMagic campaign are not particularly sophisticated, cloud storage as the command-and-control (C2) infrastructure is significant.
“We will continue our investigation and hopefully will be able to share more insights into this campaign.”