Commonmagic

Malware updated a year ago (2024-11-29T14:31:34.096Z)

Download STIX

Preview STIX

CommonMagic is a malicious software framework that has been actively used since at least September 2021 to target government, agriculture, and transportation organizations located in the Donetsk, Lugansk, and Crimea regions. It was developed by an APT group linked to the Russo-Ukrainian conflict and operates by infecting systems with various modules for tasks such as traffic encryption and decryption, document theft, and screenshot capturing. This malware communicates with a command-and-control server, which then triggers the infection within the CommonMagic framework. The CommonMagic malware is closely related to another malware framework, CloudWizard, both of which were discovered during an investigation initiated in 2022. The similarities between CommonMagic and CloudWizard are significant, indicating a shared origin or developer. Both use the RC5Simple library for encryption and the RapidJSON library for parsing JSON objects. They also share similar strings in their internet communication modules and have analogous naming conventions for files uploaded to their respective C2 servers. Additionally, victim IDs extracted from both malwares contain a date followed by two identical letters, albeit with slight variations in format. However, there are notable differences in the implants used by each malware: DUREX43 in CloudWizard and Hwo7X8p in CommonMagic. Victims of CommonMagic and CloudWizard are primarily located in areas of conflict in Eastern Europe, particularly those involved in the Ukrainian conflict. These malware frameworks represent an escalation in cyber warfare, using cloud services to conduct sophisticated attacks. The discovery of these interconnected frameworks highlights the increasing complexity and modularity of modern malware, as well as the geopolitical context in which they operate.

Description last updated: 2024-07-08T11:16:27.593Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Powermagic is a possible alias for Commonmagic. PowerMagic is a sophisticated malware, also known as DBoxShell, that has been linked to a series of advanced persistent threat (APT) activities. This malicious software was identified by Kaspersky researchers who traced its connections to previous APT activities such as Operation Groundbait, the Pri	4
Cloudwizard is a possible alias for Commonmagic. CloudWizard is a potent malware that has been implicated in advanced persistent threat (APT) campaigns, specifically those related to the Russo-Ukrainian conflict. It was first reported by Kaspersky in 2023 and is known for its features like taking screenshots, microphone recording, keylogging, amon	4
Prikormka is a possible alias for Commonmagic. Prikormka is a type of malware that was used in Operation Groundbait, a cyber threat campaign that took place between 2008 and 2016. The malware is typically deployed through a dropper contained within malicious email attachments and has 13 different components designed to harvest various types of d	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Kaspersky

Apt

Malware

Backdoor

Encryption

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Commonmagic Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securelist	a year ago	CloudSorcerer APT uses cloud services and GitHub as C2
CERT-EU	2 years ago	Battling the Exploitation of Cloud Services in Global Conflicts
CERT-EU	3 years ago	CloudWizard APT: the bad magic story goes on - GIXtools
CERT-EU	2 years ago	A Decade of ‘Bad Magic’ In Cyber Espionage
CERT-EU	3 years ago	Linux SSH servers targeted by novel ShellBot malware variants
CERT-EU	3 years ago	APT trends report Q1 2023
CERT-EU	3 years ago	APT trends report Q1 2023 - GIXtools
CERT-EU	3 years ago	Bad Magic's Extended Reign in Cyber Espionage Goes Back Over a Decade
CERT-EU	3 years ago	Anomali Cyber Watch: CloudWizard Targets Both Sides in Ukraine, Camaro Dragon Trojanized TP-Link Firmware, RA Group Ransomware Copied Babuk
CERT-EU	2 years ago	IT threat evolution in Q2 2023 – GIXtools
CERT-EU	2 years ago	IT threat evolution Q2 2023
CERT-EU	3 years ago	Unknown actors target orgs in Russia-occupied Ukraine
Securityaffairs	3 years ago	New Bad Magic APT used CommonMagic framework in the area of Russo-Ukrainian conflict
InfoSecurity-magazine	3 years ago	CommonMagic Targets Entities in Russo-Ukrainian Conflict Zone
CERT-EU	3 years ago	Ukraine targeted by novel malware attacks
InfoSecurity-magazine	3 years ago	CommonMagic Malware Implants Linked to New CloudWizard Framework
DARKReading	3 years ago	CommonMagic APT Campaign Broadens Target Scope to Central and Western Ukraine