Kaspersky, the Russian cybersecurity firm, has released a report detailing an ongoing campaign that uses a new modular framework called CommonMagic to attack government, agriculture, and transportation organizations in Ukraine.
The attacks are part of an active campaign that has been tracked since October 2022 and is known as “Bad Magic.”
While the initial vector of compromise is unclear, Kaspersky said the use of spear phishing or similar methods is likely involved.
The attacks involve booby-trapped URLs that point to a ZIP archive hosted on a malicious web server. When opened, the file contains a decoy document and a malicious LNK file that ultimately deploys a backdoor called PowerMagic.
Written in PowerShell, PowerMagic establishes contact with a remote server and executes arbitrary commands, which are exfiltrated to cloud services such as Dropbox and Microsoft OneDrive.
PowerMagic also delivers the CommonMagic framework, a set of executable modules designed to carry out specific tasks such as interacting with the command-and-control server, encrypting and decrypting C2 traffic, and executing plugins.
Two of the plugins discovered so far have the capability to capture screenshots every three seconds and gather files of interest from connected USB devices. Kaspersky has found no evidence linking the operation and its tooling to any known threat actor or group.
Given the ongoing conflict between Russia and Ukraine, it is believed that the Bad Magic campaign is being carried out by a Russian state-sponsored group.
The use of new, previously unseen tools and tactics highlights the evolving nature of cyber warfare and the importance of continuous vigilance in detecting and responding to attacks.
