PowerMagic

Recent research has exposed a new cyberespionage campaign that is aimed at government agencies and other organizations operating within regions of Ukraine that are currently occupied by Russia. This campaign utilizes two distinct and previously unknown malware strains, which have been dubbed PowerMagic and CommonMagic.

The attackers employ these strains of malware to pilfer data from the targeted devices belonging to entities located in the Donetsk, Lugansk, and Crimea regions. The targets of this espionage campaign include government agencies, as well as agriculture and transportation organizations.

It appears highly probable that this latest cyberespionage campaign is part of the larger cyber conflict between Ukraine and Russia, given the ongoing conflict in the region.

The Attackers Use Phishing Emails and Decoy Documents

The attackers behind this incident disseminated malware by employing phishing emails, which contained a hyperlink to a .zip archive that was hosted on a server that had malicious intent.

The .zip archive was composed of two files: a document that had been disguised to appear as an official decree – with examples including notifications related to parliamentary elections in Crimea or budget planning in Donetsk – as well as a malicious .lnk file. Upon being opened, this .lnk file would initiate the malware and infect the targeted device.

In the initial phase of the attack, the hackers used a PowerShell-based backdoor called PowerMagic to infiltrate the system.

PowerMagic is Equipped with Multiple Threatening Capabilities

Upon further examination of the PowerMagic backdoor, it was discovered that the primary section of the backdoor is read from the file located at %APPDATA%\WinEventCom\config. This file is then decrypted through the use of a simple XOR algorithm.

After decryption, the backdoor enters into an infinite loop that continuously communicates with its designated Command and Control (C&C) server. The backdoor then receives commands from the server and responds with uploaded results.

When PowerMagic successfully establishes a connection with the C&C server, it has the capability to execute arbitrary commands. The results of these executed commands are exfiltrated to cloud services such as Dropbox and Microsoft OneDrive.

However, one of the main tasks of PowerMagic is to deliver the next-stage CommonMagic framework to the infected devices. CommonMagic is a more complicated malicious tool capable of performing specific tasks.