Security researchers have discovered attacks from an advanced threat actor that used “a previously unseen malicious framework” called CommonMagic and a new backdoor called PowerMagic.
Both malware pieces have been used since at least September 2021 in operations that continue to this day and target organizations in the administrative, agriculture, and transportation sectors for espionage purposes.
New malicious toolkit dropped
Researchers at cybersecurity company Kaspersky say that the hackers are interested in collecting data from victims in Donetsk, Lugansk, and Crimea.
Once inside the victim network, the attackers behind the CommonMagic espionage campaign can use separate plugins to steal documents and files (DOC, DOCX, XLS, XLSX, RTF, ODT, ODS, ZIP, RAR, TXT, PDF) from USB devices.
The malware used can also take screenshots every three seconds using the Windows Graphics Device Interface (GDI) API.
The researchers believe that the initial infection vector is spear phishing or a similar method to deliver a URL pointing to a ZIP archive with a malicious LNK file.
A decoy document (PDF, XLSX, DOCX) in the archive diverted the target user from the malicious activity that started in the background when the LNK file disguised as a PDF was launched.
Kaspersky says that activating the malicious LNK would lead to infecting the system with a previously unknown PowerShell-based backdoor that the researcher named PowerMagic after a string in the malware code.
The backdoor communicates with the command and control (C2) server to receive instructions and upload the results using OneDrive and Dropbox folders.
Following the PowerMagic infection, the targets were infected with CommonMagic, a collection of malicious tools that the researchers have not seen before these attacks.
The CommonMagic framework has several modules that start as standalone executables and use named pipes to communicate.
Kaspersky’s analysis revealed that the hackers created dedicated modules for various tasks, from interacting with the C2 to encrypting and decrypting traffic from the command server, stealing documents, and taking screenshots.
Exchanging data with the C2 is also done via a OneDrive folder and the files are encrypted using the RC5Simple open-source library with a customized sequence – Hwo7X8p – at the beginning of the encryption.
Hiding behind ordinary tactics
The malware or the methods seen in CommonMagic attacks are not complex or innovative. An infection chain involving malicious LNK files in ZIP archives has been observed with multiple threat actors.
Incident response firm Security Joes announced last month the discovery of a new backdoor called IceBreaker that was delivered from a malicious LNK in a ZIP archive.
A similar method was seen in a ChromeLoader campaign that relied on a malicious LNK to execute a batch script and extract the content of a ZIP container to fetch the final payload.
However, the closest to CommonMagic’s technique is a threat actor that Cisco Talos tracks as YoroTrooper, who engaged in cyberespionage activity using phishing emails delivering malicious LNK files and decoy PDF documents encased in a ZIP or RAR archive.
Despite the non-customary approach, though, CommonMagic’s method proved to be successful, Kaspersky says.
The researchers discovered an active infection in October last year but tracked a few attacks from this threat actor as old as September 2021.
Leonid Besverzhenko, security researcher at Kaspersky’s Global Research and Analysis Team, told BleepingComputer that the PowerMagic backdoor and the CommonMagic framework were used in dozens of attacks.
Although CommonMagic activity appears to have started in 2021, Besverzhenko says that the adversary intensified their efforts last year and continues to be active today.
By combining unsophisticated techniques that have been used by multiple actors and original malicious code, the hackers managed to make impossible a connection to other campaigns at this time.
A spokesperson from Kaspersky told BleepingComputer that “the limited victimology and Russian-Ukrainian conflict-themed lures suggest that the attackers likely have a specific interest in the geopolitical situation in that region.”