The number of APT groups targeting organizations in Ukraine as part of the war with Russia continues to grow, as researchers have identified a new threat actor that has compromised agricultural, government, and transportation organizations in the country with a previously unseen attack framework and backdoor known as PowerMagic.
The group, which researchers at Kaspersky discovered and is as-yet unnamed, likely uses spear phishing as its initial access vector, luring victims to an attacker-controlled URL that directs them to a ZIP archive. That archive contains an LNK file and a PDF decoy document that in some cases is named in a similar way to the LNK file to add legitimacy. If the victim opens the LNK file, it will download and execute an MSI file hosted on a remote server. That eventually leads to the installation of the PowerMagic backdoor, which is written in PowerShell and uses OneDrive and Dropbox folders to transport files.
PowerMagic is a relatively simple backdoor, communicating with a remote C2 server to receive and execute commands and upload the results to the cloud storage sites. But its real purpose appears to be to install the CommonMagic framework, which has a number of individual modules and features.
“All the victims of PowerMagic were also infected with a more complicated, previously unseen, modular malicious framework that we named CommonMagic. This framework was deployed after initial infection with the PowerShell backdoor, leading us to believe that CommonMagic is deployed via PowerMagic,” an analysis of the framework by Kaspersky researchers says.
“The CommonMagic framework consists of several executable modules, all stored in the directory C:\ProgramData\CommonCommand. Modules start as standalone executable files and communicate via named pipes. There are dedicated modules for interaction with the C&C server, encryption and decryption of the C&C traffic and various malicious actions.”
CommonMagic has the ability to download new executable modules and also has a pair of plugins. One of the plugins takes a screenshot of the infected machine every three seconds, and the other grabs the contents of any connected USB drive. CommonMagic and PowerMagic don’t have any specific connections to known attack groups.
“So far, we have found no direct links between the samples and data used in this campaign and any previously known actors. However, the campaign is still active, and our investigation continues. So, we believe that further discoveries may reveal additional information about this malware and the threat actor behind it,” the Kaspersky researchers said.
Last week, researchers at SentinelOne detailed recent intrusions in Ukrainian organizations by a low-profile Russian APT group known as Winter Vivern. That team has targeted Ukrainian government agencies, as well as organizations in Poland.