Kaspersky researchers have uncovered new information about the CommonMagic campaign, which was first detected in March 2023 and appears to be targeting organizations in the Russo-Ukrainian conflict area. The new information reveals more sophisticated malicious activities by the same threat actor and expands the victim pool to include organizations in Central and Western Ukraine. Kaspersky experts have also linked the unknown actor to previous APT campaigns, such as Operation BugDrop and Operation Groundbai (Prikormka).
In March 2023, Kaspersky revealed a new APT campaign in the Russo-Ukrainian conflict area, dubbed CommonMagic. It utilizes PowerMagic and CommonMagic implants to conduct espionage activities and has been active since September 2021. The threat actor behind the attack remained unknown at the time, but Kaspersky has continued its investigation, tracking the unknown activity back to forgotten campaigns to gather further insights.
The researchers have now uncovered a modular framework called CloudWizard used in the recently discovered campaign. The framework contains nine modules, each responsible for distinct malicious activities such as keylogging, capturing screenshots, recording microphone input, and stealing passwords. One of the modules focuses on exfiltrating data from Gmail accounts, allowing the threat actor to access and smuggle activity logs, contact lists, and all email messages associated with the targeted accounts.
Moreover, Kaspersky’s investigations revealed a wider distribution of the campaign’s targets. While the previous targets were primarily located in the Donetsk, Luhansk, and Crimea regions, the scope now includes individuals, diplomatic entities, and research organizations in Western and Central Ukraine.
After extensive research into CloudWizard, Kaspersky experts observed notable similarities between this campaign, Operation Groundbait, and Operation BugDrop. The similarities include code similarities, file naming and listing patterns, hosting by Ukrainian hosting services, and shared victim profiles in Western and Central Ukraine, as well as the conflict area in Eastern Europe.
The experts also noticed resemblances between CloudWizard and the recently reported campaign CommonMagic. Some sections of the code are identical, they employ the same encryption library, follow a similar file naming format, and share victim locations within the Eastern European conflict area.
Based on these findings, Kaspersky experts have concluded that the malicious campaigns of Prikormka, Operation Groundbait, Operation BugDrop, CommonMagic, and CloudWizard may all be attributed to the same active threat actor.
“The threat actor responsible for these operations has demonstrated a persistent and ongoing commitment to cyberespionage, continuously enhancing their toolset and targeting organizations of interest for over fifteen years,” said Georgy Kucherin, security researcher at Kaspersky’s Global Research and Analysis Team. “Geopolitical factors continue to be a significant motivator for APT attacks and, given the prevailing tension in the Russo-Ukrainian conflict area, we anticipate that this actor will persist with its operations for the foreseeable future.”
Kaspersky researchers recommend implementing several measures to avoid falling victim to a targeted attack by a known or unknown threat actor. These measures include providing SOC teams with access to the latest threat intelligence, upskilling cybersecurity teams to tackle the latest targeted threats, implementing EDR solutions for endpoint level detection, investigation, and timely remediation of incidents, adopting a corporate-grade security solution that detects advanced threats on the network level at an early stage, introducing security awareness training and teaching practical skills to teams.
It is important to note that cybersecurity is not only the responsibility of the IT department, but it is also everyone’s responsibility. Everyone must play their part in keeping the company safe by being mindful of phishing attempts, password hygiene, and update their devices regularly. Companies must prioritize cybersecurity and ensure their employees receive the necessary training to help protect against the ever-increasing cyber threats.