The innovative persistent danger (APT) recognised as CommonMagic has been noticed concentrating on administrative companies in the Russo-Ukrainian conflict zone.
According to an advisory published by Kaspersky before right now, CommonMagic has been energetic considering the fact that at minimum September 2021, with the group attacking administrative, agriculture and transportation entities throughout Donetsk, Luhansk and Crimea.
“Although the preliminary vector of compromise is unclear, the particulars of the next phase suggest the use of spear phishing or similar procedures,” reads the technological write-up. “The victims navigated to a URL pointing to a ZIP archive hosted on a destructive web server. The archive, in transform, contained two data files.”
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
The first of these information was a decoy doc (either a PDF, XLSX or DOC file), while the 2nd was a malicious LNK (Windows shortcut) file with a double extension (e.g., .pdf.lnk) that led to an infection when opened.
Go through much more on shortcut data files right here: Are We Losing the War Against Ransomware?
Kaspersky discussed that the menace actor executed attacks utilizing a PowerShell-dependent backdoor referred to as PowerMagic and a new malicious framework named CommonMagic right after the group’s identify.
“The backdoor gets instructions from a distant folder positioned on a general public cloud storage assistance, executes the instructions sent from the server and then uploads the outcomes of the execution back again to the cloud,” Kaspersky wrote. “PowerMagic also sets alone up in the technique to be launched persistently on startup of the infected product.”
As for CommonMagic, the security researchers stated the framework comprises a number of modules. Each individual of them is an executable file introduced in a individual method, with modules equipped to connect.
“The framework is able of thieving files from USB units, as perfectly as having screenshots each and every three seconds, and sending them to the attacker,” reads the advisory.
Commenting on the findings, Kaspersky security researcher Leonid Bezvershenko stated that even though the malware and methods applied in the CommonMagic campaign are not specially subtle, cloud storage as the command-and-manage (C2) infrastructure is important.
“We will continue on our investigation and hopefully will be capable to share additional insights into this campaign.”
Some sections of this write-up are sourced from: