Unknown actors deploy malware to steal data in occupied regions of Ukraine

A cyber espionage campaign targeting organizations in Russian-occupied regions of Ukraine is using novel malware to steal data, according to Russia-based infosec software vendor Kaspersky.

In a report published Tuesday, Kaspersky researchers detailed the infections, which use a PowerShell-based backdoor they’ve named “PowerMagic” and a previously unknown framework dubbed “CommonMagic” that can steal files from USB devices, take screenshots every three seconds, and send all of this data back to the attacker.

Kaspersky says the cyber snoops, which have been active since at least September 2021, don’t share infrastruture, code, or other direct ties to any known advanced persistent threat (APT) groups. However, the victims – administrative, agricultural and transportation organizations located in the Donetsk, Luhansk and Crimea regions – and the phishing lures suggest that this campaign is related to the illegal Russian invasion of Ukraine. 

“Geopolitics always affect the cyber threat landscape and lead to the emergence of new threats,” Leonid Besverzhenko, security researcher at Kaspersky’s Global Research and Analysis Team, explained in a statement. “We have been monitoring activity connected to the conflict between Russia and Ukraine for a while now, and this is one of our latest discoveries.”

While the malware and techniques used by the threat actors “are not particularly sophisticated,” the use of cloud storage for command-and-control infrastructure is notable, Besverzhenko added. 

“We will continue our investigation and hopefully will be able to share more insights into this campaign,” he said.

The research team first spotted the infection in October 2022, and suspect it starts with a spearphishing email directing the victim to a URL that points to a .zip archive on a malicious web server. 

The archive contains two files. The first is a decoy document, crafted to trick the victim into thinking the content is legitimate by using regional topics and titles. There’s a screenshot in Kaspersky’s research showing one of these decoy Word documents, titled “Results of the State Duma elections in the Republic of Crimea”.

The second is the baddy: a malicious .lnk file that, when opened, infects the victim’s device with the PowerMagic backdoor.

The backdoor communicates with a public-cloud-storage based command-and-control server, executing commands from the server on the infected machine and uploading the results back to the cloud. 

It uses OneDrive and Dropbox folders as transport, and OAuth refresh tokens as credentials, according to Kaspersky. 

The researchers suggest that PowerMagic also deploys a modular framework called CommonMagic. So far, they’ve discovered two malicious plugins being executed by the framework. One – S[.]exe – takes screenshots every three seconds using the GDI API, and the other – U[.]exe – steals files from connected USB devices.

According to the researchers, “the campaign is still active, and our investigation continues.” They believe that “further discoveries may reveal additional information about this malware and the threat actor behind it.” ®

READ MORE HERE