A previously unidentified threat actor is believed to be using new malware programs called CommonMagic and PowerMagic to phish for details of targets in disputed Russian-controlled areas of Ukraine.
SecureList, an affiliate of Kaspersky – which has itself come under fire for alleged ties to the Kremlin – claims to have observed since October “an active infection of government, agriculture and transportation organizations located in the Donetsk, Luhansk, and Crimea regions.”
It added: “Although the initial vector of compromise is unclear, the details of the next stage imply the use of spear-phishing or similar methods.” Spear-phishing is a targeted version of phishing aimed at specific individuals or entities, rather than relying on scattershot spamming techniques.
Nor is it clear from the SecureList report whether the targets of the campaign, and indeed its perpetrators, are for or against Russia’s occupation of Ukrainian territories, including the disputed breakaway republics of Luhansk and Donetsk.
Victims are steered via social engineering methods, essentially a means of duping or conning a target over the internet, to a URL that points to a compressed ZIP archive containing a decoy document and a malicious file that infects a computer when opened.
Screenshot of fake document uncovered by SecureList
Screenshot of what SecureList says is a bogus document, purportedly from disputed territory of Donetsk’s Finance Ministry
The decoy Word document examined by SecureList is written in Russian and purports to cover the results of the “State Duma elections in the Republic of Crimea” – the territory annexed by Russia in 2014 and widely regarded as the precursor to its subsequent invasion of Ukraine last year.
Another document called out as a fake by SecureList claims to be from the Finance Ministry of the Democratic People’s Republic of Donetsk – which the international community says is a territory of Ukraine illegally occupied by Russia.
Screenshot of fake document uncovered by SecureList
Screenshot of an electoral document relating to disputed Crimea that SecureList also says is bogus
“When the potential victim activates the file included in the ZIP, it triggers a chain of events that lead to the infection of the computer with a previously unseen malicious framework that we named CommonMagic,” said SecureList. “The malware and techniques used in this campaign are not particularly sophisticated, but are effective, and the code has no direct relation to any known campaigns.”
Another new type of malware spotted by the cybersecurity analyst is a backdoor program enabling covert access to a targeted machine, which it dubbed PowerMagic. This in turn enables the threat actor to hijack a computer from a remote location known as a “command and control server.”
“When started, the backdoor […] enters an infinite loop communicating with its C&C [command and control] server, receiving commands and uploading results in response,” said SecureList. “It uses OneDrive and Dropbox folders as transport, and OAuth refresh tokens as credentials.”
It added: “All the victims of PowerMagic were also infected with a more complicated, previously unseen, modular malicious framework that we named CommonMagic. This framework was deployed after initial infection with the PowerShell backdoor, leading us to believe that CommonMagic is deployed via PowerMagic.”
SecureList says that to date it has found “no direct links” between its own findings and “any previously known [threat] actors.”
“However, the campaign is still active, and our investigation continues,” it added.
From: https://cybernews.com/cyber-war/partisan-threat-actor-cyberwar-ukraine/