Go to listing page

Black Magic APT Targets Ukraine with CommonMagic and PowerMagic

Black Magic APT Targets Ukraine with CommonMagic and PowerMagic
Amid the ongoing Russia-Ukraine war, an APT group named Bad Magic has been observed targeting agriculture, government, and transportation organizations located in Donetsk, Lugansk, and Crimea. The campaign leverages old artifacts created as early as September 2021, along with a previously unseen malicious framework dubbed CommonMagic.

The attack chain

Kaspersky researchers discovered the campaign in October 2022 and recently released a report describing the discoveries so far.
  • Bad Magic mostly likely uses spear-phishing messages with booby-trapped URLs to deliver a malicious ZIP archive hosted on an attacker-controlled web server.
  • The archive contains a decoy document and a malicious LNK file with a double extension. 
  • The LNK file starts the infection and culminates in the deployment of a backdoor, named PowerMagic, which is written in PowerShell.
  • The backdoor establishes a connection with a remote server and receives arbitrary commands that are executed on the infected machine.
  • Subsequently, the results are uploaded to public cloud services such as Dropbox and Microsoft OneDrive, and OAuth refresh tokens are used as credentials.

Deployment of CommonMagic via PowerMagic

  • PowerMagic acts as a medium to deliver the CommonMagic framework that contains a set of several executable modules.
  • These modules are capable of interacting with the C2 server, encrypting and decrypting C2 traffic, and executing plugins (Screenshot and USB).
  • The Screenshot plugin (S[.]exe) captures screenshots every three seconds using the GDI API and the USB plugin U[.]exe gathers files of interest from connected USB devices.

Wrapping up

Although the malware and techniques used in this campaign are not particularly sophisticated, it has been active for the last 1.5 years without any notable detection. This campaign has no direct relation to any known campaigns or previously known actors, yet the use of malware such as PowerMagic and CommonMagic indicates that the cluster behind the attack is resourceful and highly focused to fly under the radar.
Cyware Publisher

Publisher

Cyware