CommonMagic

Infosec researchers have managed to identify an attack campaign using a previously unknown malware framework against organizations from key sectors in Ukraine, clearly indicating the active part that cyberwarfare is continuing to play as part of the war. The targeted organizations operate in the government, agriculture, and transportation sectors and are located in the Donetsk, Lugansk, nd Crimea regions.

These attacks involve a new modular framework called CommonMagic, which has not been seen before. The framework appears to be designed to infiltrate and disrupt the targeted organizations, potentially compromising sensitive information and disrupting critical infrastructure. It is not yet clear who is responsible for these attacks or what their ultimate goals may be. The situation is ongoing, and organizations in the affected areas should take steps to secure their networks and systems against potential threats.

A Complex Attack Chain Delivers the CommonMagic Malware

According to the researchers, the exact initial compromise vector is unclear. However, the details of the next stage of the attack indicate that spear phishing or similar techniques may be used by the threat actors.

The attacks follow a specific pattern where a malicious URL is presented to the victims and is used to lead them to a ZIP archive hosted on a compromised web server. When the delivered ZIP file is opened, it contains a decoy document and a malicious LNK file. In the next phase of the attack, a backdoor named PowerMagic is deployed onto the breached devices. The backdoor allows the attacker to gain access to the victim's computer and carry out various malicious activities, but its main purpose is to fetch and deploy the CommonMagic malware framework, a far more specialized piece of malicious software.

CommonMagic - A Previously Unseen Threatening Framework

All of the victims impacted by PowerMagic malware have been discovered to have been infected with a much more intricate and sophisticated malicious framework, which has been dubbed CommonMagic. CommonMagic comprises various executable modules, all of which are stored in a directory located at C:\ProgramData\CommonCommand. Each module initiates as an independent executable file and communicates with the others via named pipes. The modules are specifically designed for communication with the Command and Control (C&C) server, encryption and decryption of the C&C traffic, and carrying out several malicious actions.

Two of the modules discovered to date are equipped with the capabilities to capture screenshots at three-second intervals and to retrieve files of interest from any USB devices that are connected. The framework uses OneDrive remote folders to transport data, and any data exchanged between the attacker and the victim via OneDrive is encrypted using the RC5Simple open-source library.