A recent cyber espionage campaign has been discovered by Russian-based infosec software vendor Kaspersky.
This campaign is specifically targeting organizations in the Russian-occupied regions of Ukraine, and it uses novel malware to steal data. In this article, we will delve into the details of this campaign and explore the techniques used by the threat actors.
The Cyber Espionage Campaign
The cyber espionage campaign discovered by Kaspersky makes use of a PowerShell-based backdoor called “PowerMagic” and a previously unknown framework known as “CommonMagic”. The backdoor can steal files from USB devices and take screenshots every three seconds, sending this data back to the attacker.
According to Kaspersky, the attackers have been active since at least September 2021, and they do not have any known direct ties to advanced persistent threat (APT) groups. However, the phishing lures and victims suggest that this campaign is related to the illegal Russian invasion of Ukraine.
The researchers at Kaspersky believe that geopolitical conflicts can have a significant impact on the cyber threat landscape, leading to the emergence of new threats. They have been monitoring activity connected to the conflict between Russia and Ukraine for some time, and this is one of their latest discoveries.
The Malware and Techniques Used
The malware and techniques used by the threat actors are not particularly sophisticated, but the use of cloud storage for command-and-control infrastructure is notable. The backdoor communicates with a public-cloud-storage based command-and-control (C2) server, executing commands on the infected machine and uploading the results back to the cloud.
The backdoor uses OneDrive and Dropbox folders as transport and OAuth refresh tokens as credentials.
Kaspersky suggests that the backdoor also deploys a modular framework called CommonMagic, which executes two malicious plugins. One of these plugins takes screenshots every three seconds, while the other steals files from connected USB devices.
The cyber espionage campaign discovered by Kaspersky is still active, and their investigation continues. They believe that further discoveries may reveal additional information about this malware and the threat actor behind it. While the techniques used by the threat actors are not particularly sophisticated, the use of cloud storage for command-and-control infrastructure is notable. The geopolitical conflicts between nations can have a significant impact on the cyber threat landscape, leading to the emergence of new threats.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.