View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

CommonMagic APT gang attacking organisations in Ukraine

The gang is using novel methods to attack Ukrainian organisations, and is likely to be politically motivated.

By Claudia Glover

A state-sponsored gang of cybercriminals dubbed CommonMagic has been terrorising companies in Ukraine, new research shows. The malware used in the attacks is called PowerMagic and appears to be brand new. Government organisations, as well as agricultural and transportation businesses show signs of being infected, researchers say.

CommonMagic APT gang is terrorising companies in various areas of Ukraine. (Photo by Milan Sommer/Shutterstock)

Companies located in the Donetsk, Luhansk and Crimea regions within Ukraine are being attacked by CommonMagic, according to a new report from security company Kaspersky.

APT gang CommonMagic attacks companies in Ukraine

The report released today describes CommonMagic as having a “complicated, previously unseen, malicious modular framework” to launch attacks.

PowerMagic is one of the main tools in this arsenal. Once downloaded it provides a back door into the target organisation, using OneDrive and DropBox to transport stolen files.

“The CommonMagic framework consists of several executable modules, all stored in the ‘CommonCommand’ directory. Modules start as standalone executable files and communicate via named pipes. There are dedicated modules for interaction with the command and control (C&C) server, encryption and decryption of the C&C traffic and various malicious actions,” the report explains.

CommonMagic is also capable of stealing files from USB devices to send back to the attacker.

At the time of writing, no direct links exist between the code and data used in this campaign and any previously known ones. However, as the campaign is still active and the investigation is still in progress, further research may reveal additional information that could aid in attributing this campaign to a specific threat actor.

Content from our partners
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition

The victims of the attacks suggest that the criminals likely have a specific interest in the geopolitical situation in Ukraine.

“Geopolitics always affect the cyber threat landscape and lead to the emergence of new threats,” said Leonid Bezvershenko, security researcher at Kaspersky’s global research and analysis team. “We have been monitoring activity connected to the conflict between Russia and Ukraine for a while now, and this is one of our latest discoveries.

“Although the malware and techniques employed in the CommonMagic campaign are not particularly sophisticated, the use of cloud storage as the command-and-control infrastructure is noteworthy. We will continue our investigation and hopefully will be able to share more insights into this campaign, continues Bezvershenko. 

Read more: Is Russia failing in its cyberattacks on Ukraine?

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU