Amid the ongoing war between Russia and Ukraine, government, agricultural and transport organizations in Donetsk, Lugansk, and Crimea have been attacked as part of an active campaign called the Modular Framework, which has never been seen before. it was done. common magic.
Kaspersky said in a new report, “While the initial vector of compromise is unknown, details of subsequent stages suggest the use of spear phishing or similar methods.
A Russian cybersecurity firm that detected the attack in October 2022 tracks the activity cluster under the name “Bad Magic.”
The attack chain involves using a booby-trapped URL pointing to a ZIP archive hosted on a malicious web server. When opened, this file contains a decoy document and a malicious LNK file that eventually deploys a backdoor named PowerMagic.
PowerMagic, written in PowerShell, establishes a connection with a remote server and executes arbitrary commands. The results flow out to cloud services like Dropbox and Microsoft OneDrive.
PowerMagic is a CommonMagic framework, a set of executable modules designed to perform specific tasks such as interacting with command and control (C2) servers, encrypting and decrypting C2 traffic, running plugins, etc. Also serves as a pipe for providing
Two plugins discovered so far come with the ability to capture screenshots every 3 seconds and collect desired files from attached USB devices.
Kaspersky said it found no evidence linking the operation and its tools to known threat actors or groups.
