New dangerous threat Magic Malware hit thousands of UK firms

Pierluigi Paganini April 19, 2013

The Internet is full of news regarding malware more or less sophisticated that are used for various purposes, cybercrime, cyber espionage, hacktivism or cyber warfare but not all these agents demonstrated their efficiency over the time.

This time thousands of UK companies have been targeted by a smart malware, dubbed “Magic Malware”,  that has gone undetected for at least eleven months according revelation of security firm Seculert.





Despite there is no certainty of the real purpose of the malware security experts believe that it is designed for cyber espionage operations, what seems very likely is that malicious agent is still a work in progress probably only at the first stage of a large scale operation.

The consideration arises from the observation that the malicious code detected containing various “indications of features which are not yet implemented”, and functions which are not yet used by the malware.

“The real intention of the attackers behind this magic malware is yet to be known. As the malware is capable of setting up a backdoor, stealing information, and injecting HTML into the browser, we believe that the current phase of the attack is to monitor the activities of their targeted entities,” wrote Aviv Raff in the post on official company website.

Aviv Raff has approached the analysis of the malware as a show of prestige organized in three phases:

  • “The Pledge” – malware detection
  • “The Turn” – the particular malware behavior
  • “The Prestige – the real intention of the attackers.

“This ‘Magic Malware’ is active, persistent and had remained undetected on the targeted machines for the past 11 months. Since then the attackers were able to target several thousands of different entities, most of them located in the United Kingdom,” 

What is singular is that the malicious code adopted a sly technique to communicate with control structures after infected the victims through a specialized server communication protocol.  “The Turn” phase represents the extraordinary behavior of the malware, after a first connection to the C&C malware and control server start communicating with a custom-made protocol, and always using a magic code at the beginning of the conversation.

In the following pictures the typical handshake between the interlocutors:

“Magic” malware receives an initial response to use “some_magic_code1” as a magic code

Then “magic” malware receives an instruction from the C2 server to add a new user


The malware once infected the victim takes complete remote control of it waiting for orders from the command and control server (C&C) exactly as for any other botnet architecture.

The malware is capable of downloading and executing additional malicious files, probably the modularity of the agent could adapt the malicious code for further use such as sabotage.

Another element that suggests the cyber espionage intent behind the malware is the nature of the targets, there are in fact financial companies, education and also communications providers.

Security experts are convicted that in the future the malware will continue its evolution, in the meantime lets install all defense systems and keep them updated.

Pierluigi Paganini

(Security Affairs – Malware)

you might also like

leave a comment