Researchers of cybersecurity solutions company Kaspersky has discovered an ongoing advanced persistent threat (APT) campaign CommonMagic targeting organizations in areas near the Russia-Ukraine war conflict.

Kaspersky uncovered the CommonMagic campaign in October 2022 but researchers believe it has been active since September 2021. The targets include administration, agriculture, and transportation organizations located in the Donetsk, Luhansk, and Crimea regions.

“Geopolitics always affect the cyber threat landscape and lead to the emergence of new threats,” Leonid Bezvershenko, security researcher at Kaspersky’s Global Research and Analysis Team (GReAT), said in a media release. “We have been monitoring activity connected to the conflict between Russia and Ukraine for a while now, and this is one of our latest discoveries.”

APT groups use spam emails to launch attacks — Kaspersky
Kaspersky reveals Kimsuky APT targets Korean media, think tanks

Attackers are using a PowerShell-based backdoor called PowerMagic. CommonMagic is the new malicious framework attackers are also using. The latter is capable of stealing files from USB devices, gathering data, and sending it over to the attacker. However, its potential is not limited to these two functions, as the modular frameworks’ structure allows the introduction of additional malicious activities via new malicious modules.

Spear phishing

“Although the malware and techniques employed in the CommonMagic campaign are not particularly sophisticated, the use of cloud storage as the command-and-control infrastructure is noteworthy,” said Bezvershenko. 

The CommonMagic framework consists of multiple modules. Each framework module is an executable file launched in a separate process, with modules being able to communicate with each other.

Kaspersky noted that like many attacks, the CommonMagic espionage campaign may have started with spear phishing “or similar methods as suggested by the next steps in the infection chain.” Victims will be directed to a ZIP archive where the malicious files are located. PowerMagic backdoor does its job and steals away data that will be stored in a public cloud storage service. PowerMagic also sets itself up in the system to be launched persistently on startup of the infected device.

PowerMagic

All PowerMagic targets witnessed by Kaspersky were also infected with a modular framework we dubbed CommonMagic. This points to CommonMagic likely being deployed by PowerMagic, although it is not clear from the available data how the infection takes place. 

Kaspersky clarifies that at the time of writing, “no direct links exist between the code and data used in this campaign and any previously known ones.”

But the company warns the public that the campaign is still active and investigation is still in progress.