Pierluigi Paganini
May 23, 2023
On March 2023, researchers from Kaspersky spotted a previously unknown APT group, tracked as Bad Magic (aka Red Stinger), that targeted organizations in the region of the Russo-Ukrainian conflict. The attackers were observed using PowerMagic and CommonMagic implants.
Looking for other implants with similarities with PowerMagic and CommonMagic, the researchers identified a different cluster of even more sophisticated malicious activities associated with the same threat actor.
The victims of this cluster were located not only in the Donetsk, Lugansk and Crimea regions, but also in central and western Ukraine. The APT group targeted individuals, as well as diplomatic and research organizations in the area of the conflict. In the latest campaign uncovered by Kaspersky, the APT group, used a modular framework dubbed CloudWizard that supports spyware capabilities, including taking screenshots, microphone recording, harvesting Gmail inboxes, and keylogging.
A deeper analysis revealed that the threat actor CloudWizard has been linked to an activity cluster that dates back to May 2016 that was tracked by ESET researchers as Operation Groundbait.
In October 2022, Kaspersky researchers uncovered a malware campaign aimed at infecting government, agriculture and transportation organizations located in the Donetsk, Lugansk, and Crimea regions with a previously undetected framework dubbed CommonMagic.
Researchers believe that threat actors use spear phishing as an initial attack vector, the messages include an URL pointing to a ZIP archive hosted on a web server under the control of the attackers. The archive contained two files, a decoy document (i.e. PDF, XLSX and DOCX versions) and a malicious LNK file with a double extension (i.e., .pdf.lnk) used to start the infection and deploy the PowerMagic backdoor.
Kaspersky attributed the October campaign to a new APT group operating in the area of Russo-Ukrainian conflict and tracked as Bad Magic.
The researchers noticed that TTPs observed during this campaign have no direct link to any known campaigns. PowerMagic is a PowerShell backdoor that executes arbitrary commands sent by C2, then it exfiltrates data to cloud services like Dropbox and Microsoft OneDrive.
“When started, the backdoor creates a mutex – WinEventCom. Then, it enters an infinite loop communicating with its C&C server, receiving commands and uploading results in response. It uses OneDrive and Dropbox folders as transport, and OAuth refresh tokens as credentials.” reads the report published by Kaspersky.
The threat actor likely used the PowerMagic backdoor to deliver the modular CommonMagic framework.
Each module of the CommonMagic framework is used to perform a certain task, such as communicating with the C2 server, encrypting and decrypting C2 traffic, and executing plugins.
Back to nowadays, Kaspersky analyzed historical telemetry data and was able to identify multiple installers associated with the CloudWizard framework that were used from 2017 to 2020.
Further analysis revealed that the actor behind the above operations has been active since at least 2008. This means that the threat actor was able to avoid detection for more than 15 years.
“We initiated our investigation back in 2022, starting with simple malicious PowerShell scripts deployed by an unknown actor and ended up discovering and attributing two large related modular frameworks: CommonMagic and CloudWizard.” reads the new report published by Kaspersky. “As our research demonstrates, their origins date back to 2008, the year the first Prikormka samples were discovered. Since 2017, there have been no traces of Groundbait and BugDrop operations. However, the actor behind these two operations has not ceased their activity, and has continued developing their cyberespionage toolset and infecting targets of interest for more than 15 years.”
The experts have yet to discover the initial access vector, however, the investigation started with the detection of malware running as a suspicious Windows service named “syncobjsup”.
The malware also drops a second file (“mods.lrc”), which contains three DLLs (with export table names Main.dll, Crypton.dll and Internet.dll) and a JSON configuration of these DLLs
The internet connection module uses data encryption for C2 communications, it supports four different communication types, three cloud storages (OneDrive, Dropbox, Google Drive) and a Web-based C2 server.
OneDrive is used as a primary cloud storage, while Dropbox and Google Drive are used if OneDrive becomes inaccessible. The module’s configuration includes OAuth tokens that are used for cloud storage authentication.
“The threat actor responsible for these operations has demonstrated a persistent and ongoing commitment to cyberespionage, continuously enhancing their toolset and targeting organizations of interest for over fifteen years,” said Georgy Kucherin, security researcher at Kaspersky’s Global Research and Analysis Team. “Geopolitical factors continue to be a significant motivator for APT attacks and, given the prevailing tension in the Russo-Ukrainian conflict area, we anticipate that this actor will persist with its operations for the foreseeable future.”
We are in the final!
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini
Please nominate Security Affairs as your favorite blog.
Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CloudWizard APT)
