Commonmagic

Malware Profile Updated 13 days ago
Download STIX
Preview STIX
CommonMagic is a potent malware framework, linked to the Russo-Ukrainian conflict, that has been targeting government, agriculture, and transportation organizations in the Donetsk, Lugansk, and Crimea regions since September 2021. The malware was developed by an Advanced Persistent Threat (APT) group and is capable of performing various tasks including traffic encryption and decryption, document theft, and screenshot capturing. It infiltrates systems via PowerMagic, which communicates with a command-and-control server before triggering an infection with CommonMagic. Our investigation into this malicious software began in 2022, starting from simple PowerShell scripts deployed by an unknown actor, and led us to discover two large related modular frameworks: CommonMagic and CloudWizard. There are notable similarities between CommonMagic and another malware framework, CloudWizard. Both use the same strings in their internet communication modules (MD5: 84BDB1DC4B037F9A46C001764C115A32 for CloudWizard and MD5: 7C0E5627FD25C40374BC22035D3FADD8 for CommonMagic), employ the RC5Simple library for encryption, and utilize the RapidJSON library for parsing JSON objects. Furthermore, both generate similar victim IDs that contain a date followed by two identical letters, though the specific format differs between the two. Victims of both CommonMagic and CloudWizard are primarily located in the area of conflict in Eastern Europe. One distinct feature of CommonMagic is its file naming convention for uploads to the C2 server, which follows the format mm.dd _hh.mm.ss.ms.dat, whereas CloudWizard uses dd.mm.yyyy_hh.mm.ss.ms.dat. Despite these shared characteristics, there have been changes observed in the malicious implants used by each framework - DUREX43 in CloudWizard and Hwo7X8p in CommonMagic.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Powermagic
4
PowerMagic is a sophisticated malware, also known as DBoxShell, that has been linked to a series of advanced persistent threat (APT) activities. This malicious software was identified by Kaspersky researchers who traced its connections to previous APT activities such as Operation Groundbait, the Pri
Cloudwizard
3
CloudWizard is a sophisticated malware discovered in May 2023, believed to be unleashed by a mysterious threat actor operating out of Ukraine. This malicious software framework was designed to target a broader set of victims across the country. It demonstrated an evolution from its predecessors by e
Prikormka
2
Prikormka is a type of malware that was used in Operation Groundbait, a cyber threat campaign that took place between 2008 and 2016. The malware is typically deployed through a dropper contained within malicious email attachments and has 13 different components designed to harvest various types of d
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Kaspersky
Malware
Backdoor
Encryption
Apt
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Commonmagic Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
a year ago
CloudWizard APT: the bad magic story goes on - GIXtools
DARKReading
a year ago
CommonMagic APT Campaign Broadens Target Scope to Central and Western Ukraine
Securityaffairs
a year ago
New Bad Magic APT used CommonMagic framework in the area of Russo-Ukrainian conflict
InfoSecurity-magazine
a year ago
CommonMagic Targets Entities in Russo-Ukrainian Conflict Zone
CERT-EU
a year ago
Ukraine targeted by novel malware attacks
InfoSecurity-magazine
a year ago
CommonMagic Malware Implants Linked to New CloudWizard Framework
CERT-EU
10 months ago
A Decade of ‘Bad Magic’ In Cyber Espionage
CERT-EU
9 months ago
IT threat evolution in Q2 2023 – GIXtools
CERT-EU
4 months ago
Battling the Exploitation of Cloud Services in Global Conflicts
CERT-EU
9 months ago
IT threat evolution Q2 2023
CERT-EU
a year ago
Anomali Cyber Watch: CloudWizard Targets Both Sides in Ukraine, Camaro Dragon Trojanized ​​TP-Link Firmware, RA Group Ransomware Copied Babuk
CERT-EU
a year ago
Bad Magic's Extended Reign in Cyber Espionage Goes Back Over a Decade
CERT-EU
a year ago
Unknown actors target orgs in Russia-occupied Ukraine
CERT-EU
a year ago
APT trends report Q1 2023 - GIXtools
CERT-EU
a year ago
Linux SSH servers targeted by novel ShellBot malware variants
CERT-EU
a year ago
APT trends report Q1 2023