Security experts have recently uncovered an APT campaign that leverages the PowerMagic and CommonMagic implants. During their investigation, they discovered a group of implants that share similarities with CommonMagic and PowerMagic. Upon further analysis, they identified a cluster of highly sophisticated activities that originate from the same threat group.

The CloudWizard campaign

The APT campaign employs a modular framework called CloudWizard. This framework is capable of taking screenshots, keylogging, and recording audio from the microphone.
  • The CloudWizard code is identical to CommonMagic, as both use the same encryption library and file naming format and target victims in shared locations.
  • Additionally, the same threat actor responsible for this campaign is believed to be behind other malicious campaigns, such as Operation BugDrop and Operation Groundbait.

According to the report, the victims were mainly individuals, diplomatic, and research entities located in Donetsk, Lugansk, Crimea, and central and western Ukraine.

More insights

  • The CloudWizard framework comprises nine modules that enable a variety of hacking capabilities. These include keylogging, file gathering, microphone input recording, password theft, and screenshot capture.
  • One of the framework's most concerning features is its ability to extract Gmail cookies from browser databases, which allows it to access and exfiltrate data from targeted accounts.

Conclusion

The attackers responsible for this campaign have demonstrated a high level of persistence and commitment to cyber-espionage operations. They are continuously refining their toolsets and targeting desirable organizations. To protect against such threats, organizations must limit device access, maintain effective endpoint security, and ensure that systems and software are regularly patched and updated.
Cyware Publisher

Publisher

Cyware