Commonmagic

Malware updated 3 months ago (2024-07-08T11:17:41.534Z)
Download STIX
Preview STIX
CommonMagic is a malicious software framework that has been actively used since at least September 2021 to target government, agriculture, and transportation organizations located in the Donetsk, Lugansk, and Crimea regions. It was developed by an APT group linked to the Russo-Ukrainian conflict and operates by infecting systems with various modules for tasks such as traffic encryption and decryption, document theft, and screenshot capturing. This malware communicates with a command-and-control server, which then triggers the infection within the CommonMagic framework. The CommonMagic malware is closely related to another malware framework, CloudWizard, both of which were discovered during an investigation initiated in 2022. The similarities between CommonMagic and CloudWizard are significant, indicating a shared origin or developer. Both use the RC5Simple library for encryption and the RapidJSON library for parsing JSON objects. They also share similar strings in their internet communication modules and have analogous naming conventions for files uploaded to their respective C2 servers. Additionally, victim IDs extracted from both malwares contain a date followed by two identical letters, albeit with slight variations in format. However, there are notable differences in the implants used by each malware: DUREX43 in CloudWizard and Hwo7X8p in CommonMagic. Victims of CommonMagic and CloudWizard are primarily located in areas of conflict in Eastern Europe, particularly those involved in the Ukrainian conflict. These malware frameworks represent an escalation in cyber warfare, using cloud services to conduct sophisticated attacks. The discovery of these interconnected frameworks highlights the increasing complexity and modularity of modern malware, as well as the geopolitical context in which they operate.
Description last updated: 2024-07-08T11:16:27.593Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Powermagic is a possible alias for Commonmagic. PowerMagic is a sophisticated malware, also known as DBoxShell, that has been linked to a series of advanced persistent threat (APT) activities. This malicious software was identified by Kaspersky researchers who traced its connections to previous APT activities such as Operation Groundbait, the Pri
4
Cloudwizard is a possible alias for Commonmagic. CloudWizard is a malicious software (malware) that has been used in advanced persistent threat (APT) campaigns. First reported by Kaspersky in 2023, it has been linked to cyber warfare activities in the Russo-Ukrainian conflict area. The malware operates by infiltrating systems and performing harmfu
4
Prikormka is a possible alias for Commonmagic. Prikormka is a type of malware that was used in Operation Groundbait, a cyber threat campaign that took place between 2008 and 2016. The malware is typically deployed through a dropper contained within malicious email attachments and has 13 different components designed to harvest various types of d
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Kaspersky
Apt
Malware
Backdoor
Encryption
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Commonmagic Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more