Security researchers have discovered attacks from an advanced threat actor that used “a previously unseen malicious framework” called CommonMagic and a new backdoor called PowerMagic.

Both malware pieces have been used since at least September 2021 in operations that continue to this day and target organizations in the administrative, agriculture, and transportation sectors for espionage purposes.

New malicious toolkit dropped

Researchers at cybersecurity company Kaspersky say that the hackers are interested in collecting data from victims in Donetsk, Lugansk, and Crimea.

Once inside the victim network, the attackers behind the CommonMagic espionage campaign can use separate plugins to steal documents and files (DOC, DOCX, XLS, XLSX, RTF, ODT, ODS, ZIP, RAR, TXT, PDF) from USB devices.

The malware used can also take screenshots every three seconds using the Windows Graphics Device Interface (GDI) API.

The researchers believe that the initial infection vector is spear phishing or a similar method to deliver a URL pointing to a ZIP archive with a malicious LNK file.

A decoy document (PDF, XLSX, DOCX) in the archive diverted the target user from the malicious activity that started in the background when the LNK file disguised as a PDF was launched.

Malicious ZIP delivered in CommonMagic campaign
Malicious ZIP delivered in CommonMagic campaign
source: Kaspersky

Kaspersky says that activating the malicious LNK would lead to infecting the system with a previously unknown PowerShell-based backdoor that the researcher named PowerMagic after a string in the malware code.

The backdoor communicates with the command and control (C2) server to receive instructions and upload the results using OneDrive and Dropbox folders.

Following the PowerMagic infection, the targets were infected with CommonMagic, a collection of malicious tools that the researchers have not seen before these attacks.

CommonMagic infection chain
CommonMagic infection chain
source: Kaspersky

The CommonMagic framework has several modules that start as standalone executables and use named pipes to communicate.

Kaspersky’s analysis revealed that the hackers created dedicated modules for various tasks, from interacting with the C2 to encrypting and decrypting traffic from the command server, stealing documents, and taking screenshots.

Modular architecture of the CommonMagic framework
Architecture of the modular CommonMagic framework
source: Kaspersky

Exchanging data with the C2 is also done via a OneDrive folder and the files are encrypted using the RC5Simple open-source library with a customized sequence - Hwo7X8p - at the beginning of the encryption.

Hiding behind ordinary tactics

The malware or the methods seen in CommonMagic attacks are not complex or innovative. An infection chain involving malicious LNK files in ZIP archives has been observed with multiple threat actors.

Incident response firm Security Joes announced last month the discovery of a new backdoor called IceBreaker that was delivered from a malicious LNK in a ZIP archive.

A similar method was seen in a ChromeLoader campaign that relied on a malicious LNK to execute a batch script and extract the content of a ZIP container to fetch the final payload.

However, the closest to CommonMagic's technique is a threat actor that Cisco Talos tracks as YoroTrooper, who engaged in cyberespionage activity using phishing emails delivering malicious LNK files and decoy PDF documents encased in a ZIP or RAR archive.

Despite the non-customary approach, though, CommonMagic's method proved to be successful, Kaspersky says.

The researchers discovered an active infection in October last year but tracked a few attacks from this threat actor as old as September 2021.

Leonid Besverzhenko, security researcher at Kaspersky’s Global Research and Analysis Team, told BleepingComputer that the PowerMagic backdoor and the CommonMagic framework were used in dozens of attacks.

Although CommonMagic activity appears to have started in 2021, Besverzhenko says that the adversary intensified their efforts last year and continues to be active today.

By combining unsophisticated techniques that have been used by multiple actors and original malicious code, the hackers managed to make impossible a connection to other campaigns at this time.

A spokesperson from Kaspersky told BleepingComputer that “the limited victimology and Russian-Ukrainian conflict-themed lures suggest that the attackers likely have a specific interest in the geopolitical situation in that region.”

Related Articles:

US govt officials’ communications compromised in recent telecom hack

North Korean hackers use new macOS malware against crypto firms

Custom "Pygmy Goat" malware used in Sophos Firewall hack on govt network

Windows infected with backdoored Linux VMs in new phishing attacks

QNAP removes backdoor account in NAS backup, disaster recovery app