The advanced persistent risk (APT) recognised as CommonMagic has been noticed targeting administrative companies in the Russo-Ukrainian conflict zone.
In accordance to an advisory published by Kaspersky earlier right now, CommonMagic has been lively given that at minimum September 2021, with the team attacking administrative, agriculture and transportation entities across Donetsk, Luhansk and Crimea.
“Although the preliminary vector of compromise is unclear, the aspects of the upcoming phase imply the use of spear phishing or very similar techniques,” reads the complex generate-up. “The victims navigated to a URL pointing to a ZIP archive hosted on a malicious web server. The archive, in turn, contained two files.”
The very first of these data files was a decoy document (either a PDF, XLSX or DOC file), although the 2nd was a malicious LNK (Windows shortcut) file with a double extension (e.g., .pdf.lnk) that led to an infection when opened.
Read a lot more on shortcut files listed here: Are We Dropping the War In opposition to Ransomware?
Kaspersky explained that the risk actor executed attacks working with a PowerShell-primarily based backdoor referred to as PowerMagic and a new malicious framework referred to as CommonMagic right after the group’s name.
“The backdoor receives commands from a remote folder positioned on a public cloud storage assistance, executes the commands sent from the server and then uploads the results of the execution back again to the cloud,” Kaspersky wrote. “PowerMagic also sets by itself up in the process to be launched persistently on startup of the infected system.”
As for CommonMagic, the security researchers discussed the framework contains several modules. Just about every of them is an executable file introduced in a individual course of action, with modules in a position to converse.
“The framework is able of thieving files from USB units, as properly as getting screenshots each and every 3 seconds, and sending them to the attacker,” reads the advisory.
Commenting on the results, Kaspersky security researcher Leonid Bezvershenko mentioned that when the malware and methods utilised in the CommonMagic campaign are not specially sophisticated, cloud storage as the command-and-command (C2) infrastructure is significant.
“We will carry on our investigation and hopefully will be capable to share extra insights into this campaign.”
Some parts of this article are sourced from:
www.infosecurity-journal.com