CommonMagic Used in Attacks Against Ukraine

During the ongoing conflict between Russia and Ukraine, various government, agriculture, and transportation organizations located in Donetsk, Lugansk, and Crimea have been targeted by a new modular framework called CommonMagic as part of an active campaign.

A Russian cybersecurity company that detected the attacks in October 2022, is monitoring the activity cluster under the name "Bad Magic." The attacks are believed to have started with a spear phishing campaign or similar methods that used booby-trapped URLs leading to a malicious ZIP archive on a compromised web server. The archive contains a decoy document and a malicious LNK file that installs a backdoor called PowerMagic when opened.

This backdoor is written in PowerShell and establishes contact with a remote server, executing arbitrary commands and exfiltrating results to cloud services like Dropbox and Microsoft OneDrive. PowerMagic is also used to deploy the CommonMagic framework, which is a set of executable modules designed to interact with the command-and-control (C2) server, encrypt and decrypt C2 traffic, and execute plugins. Two of the plugins discovered so far allow capturing screenshots and gathering files of interest from connected USB devices. The researchers found no evidence linking the operation and its tools to any known threat actor or group, and the campaign may have gone unnoticed for over a year and a half.

A researcher noted that while the malware and techniques used in the CommonMagic campaign can't be called very advanced, the use of cloud storage as the command-and-control infrastructure is noteworthy and highlights how geopolitics can influence the cyberthreat landscape.

How Can Malware like Bad Magic Use Cloud Services to Do Harm?

Malware like Bad Magic can use cloud services to do harm by utilizing them as a command-and-control (C2) infrastructure for communication with its operators. In the case of Bad Magic, the backdoor named PowerMagic establishes contact with a remote server and exfiltrates the results of its executed arbitrary commands to cloud services like Dropbox and Microsoft OneDrive. PowerMagic is also used to deploy the CommonMagic framework, which carries out specific tasks such as interacting with the C2 server, encrypting and decrypting C2 traffic, and executing plugins.

The use of cloud storage for C2 infrastructure can make it more challenging for security teams to detect and block the malware's communication, as the traffic looks like legitimate cloud storage activity. Additionally, attackers can leverage the scalability and flexibility of cloud services to store and distribute malicious files, making it easier for them to evade detection and maintain persistence. Overall, the use of cloud services by malware like Bad Magic underscores the importance of implementing strong security measures and monitoring techniques for cloud environments.