It has been going on since at least September 2021.
Kaspersky Lab told about their latest discovery. Experts have identified a targeted attack on organizations and companies located in Donetsk, Luhansk and Crimea. The cyber-espionage campaign was registered at the end of 2022.
The attack targets agricultural and transport organizations. As noted in the “Laboratory”, the attack has been going on for a long time – at least since September 2021. Moreover, this threat is still active.
Kaspersky Lab: an active cyber-espionage attack on organizations in the Crimea
Interestingly, attackers use previously unknown malware to attack. The complex CommonMagic modular framework found in the Lab is installed after the device is infected with a PowerShell backdoor. The attack consists of several stages. First, phishing emails are sent purporting to be from a government organization. The victim then downloads a ZIP archive from a malicious web server containing a harmless PDF, XLSX or DOCX decoy document, appended with a malicious LNK file with a double extension, such as .pdf.lnk. The PowerMagic backdoor is then installed on the device, which executes the attackers’ commands and uploads the results to the cloud.
The Lab notes that PowerMagic is used to deploy the CommonMagic malware platform, which can steal files from USB devices, as well as take screenshots every three seconds and send them to attackers.
Leonid Bezvershenko, cybersecurity expert at Kaspersky Lab said:
Geopolitics always affects the landscape of cyber threats and leads to the emergence of new ones. We are following this campaign. Notable in it is not malware and technology – they are not the most ingenious, but the fact that cloud storage is used as a command and control infrastructure. We will continue to investigate this threat and hopefully be able to share more about CommonMagic at a later date.
