HQ/EMEAFind out how we can help your business
The advanced persistent threat group, Black Magic APT, has been targeting different sectors of the Ukrainian government despite the ongoing geopolitical conflict within the country. The APT group uses a malicious framework called CommonMagic to compromise the agriculture, transportation, and government organisations of different towns in Ukraine.
Researchers confirmed that the Ukrainian towns Donetsk, Lugansk, and Crimea are subjects of the recent cyberattack.
The current Black Magic APT operation is still part of the campaign that started in October last year.
According to an investigation, the Black Magic APT group started the cybercriminal operation in October 2022, using spear-phishing emails to initiate attacks. Moreover, the spear-phishing emails contained compromised URLs to spread a malicious ZIP file inside an attacker-controlled server.
The ZIP archive includes a decoy document and an infected LNK file with a double extension feature. Subsequently, the LNK file initiates the infection and finishes its tasks by deploying the backdoor, PowerMagic. The PowerMagic developers coded the backdoor in PowerShell.
The backdoor then puts a connection with a remote server and recovers arbitrary commands that the malware will execute on the compromised target. The campaign will upload the results to public cloud services like OneDrive, OAuth, and Dropbox to use the refresh tokens as credentials.
Experts explained that PowerMagic behaves like a vector that delivers the CommonMagic Framework containing several executable modules. These modules could interact with the command-and-control server, encrypt and decrypt C2 traffic, and run plugins.
Lastly, the ‘Screenshot’ plugin tool captures screenshot every three seconds interval through the GDI API and the USB plugin. The plugin will then collect the files of interest from connected USB machines.
Cybersecurity experts noted that the operation has been active for over a year without a substantial detection report. Hence, the actors have constructed a fortified attack despite the malware, and its techniques are not sophisticated.
Researchers could not link this campaign to any known cybercriminal operation. However, the group will likely show its true nature once new investigations surface soon.
