A state-sponsored gang of cybercriminals dubbed CommonMagic has been terrorising companies in Ukraine, new research shows. The malware used in the attacks is called PowerMagic and appears to be brand new. Government organisations, as well as agricultural and transportation businesses show signs of being infected, researchers say.
Companies located in the Donetsk, Luhansk and Crimea regions within Ukraine are being attacked by CommonMagic, according to a new report from security company Kaspersky.
APT gang CommonMagic attacks companies in Ukraine
The report released today describes CommonMagic as having a “complicated, previously unseen, malicious modular framework” to launch attacks.
PowerMagic is one of the main tools in this arsenal. Once downloaded it provides a back door into the target organisation, using OneDrive and DropBox to transport stolen files.
“The CommonMagic framework consists of several executable modules, all stored in the ‘CommonCommand’ directory. Modules start as standalone executable files and communicate via named pipes. There are dedicated modules for interaction with the command and control (C&C) server, encryption and decryption of the C&C traffic and various malicious actions,” the report explains.
CommonMagic is also capable of stealing files from USB devices to send back to the attacker.
At the time of writing, no direct links exist between the code and data used in this campaign and any previously known ones. However, as the campaign is still active and the investigation is still in progress, further research may reveal additional information that could aid in attributing this campaign to a specific threat actor.
The victims of the attacks suggest that the criminals likely have a specific interest in the geopolitical situation in Ukraine.
“Geopolitics always affect the cyber threat landscape and lead to the emergence of new threats,” said Leonid Bezvershenko, security researcher at Kaspersky’s global research and analysis team. “We have been monitoring activity connected to the conflict between Russia and Ukraine for a while now, and this is one of our latest discoveries.
“Although the malware and techniques employed in the CommonMagic campaign are not particularly sophisticated, the use of cloud storage as the command-and-control infrastructure is noteworthy. We will continue our investigation and hopefully will be able to share more insights into this campaign, continues Bezvershenko.