As the conflict between Russia and Ukraine continues, various agricultural and transportation groups that are situated in Donetsk, Lugansk, and Crimea have been targeted in a recent effort that involves a new modular system called CommonMagic.
Kaspersky has reported that while the source of the initial breach remains uncertain, the specifics of the following phase indicate a probable application of spear-phishing or comparable techniques.
Bad Magic is the name given to the cluster of suspicious activities that have been monitored by a Russian cybersecurity company since October 2022.
An attack chain involves utilizing URLs that are rigged with traps and lead to a ZIP archive which is hosted on a harmful web server. Once the file is opened, it contains a fake document and an LNK file that is destructive and ultimately leads to the introduction of a backdoor known as PowerMagic.
PowerMagic, written in PowerShell, enables connectivity with a distant server and initiates unrestricted commands that are then transmitted to cloud-based platforms such as Dropbox and Microsoft OneDrive. The outcomes of these commands are illicitly extracted.
PowerMagic functions as a pathway for implementing the CommonMagic framework - a collection of executable modules that have been developed for carrying out specific actions, including communication with the command-and-control server, encrypting and decrypting C2 traffic, and executing plugins.
Up until now, it has been observed that two plugins possess the ability to take screenshots every three seconds and collect relevant files from USB devices connected to them.
Kaspersky stated that it did not discover any proof connecting the operation and its equipment to any recognized threat actor or group. The earliest attachment in a ZIP archive dates back to September 2021, suggesting that the campaign may have gone unnoticed for over 1.5 years.