Commonmagic

Malware updated 2 months ago (2024-07-08T11:17:41.534Z)

Download STIX

Preview STIX

CommonMagic is a malicious software framework that has been actively used since at least September 2021 to target government, agriculture, and transportation organizations located in the Donetsk, Lugansk, and Crimea regions. It was developed by an APT group linked to the Russo-Ukrainian conflict and operates by infecting systems with various modules for tasks such as traffic encryption and decryption, document theft, and screenshot capturing. This malware communicates with a command-and-control server, which then triggers the infection within the CommonMagic framework. The CommonMagic malware is closely related to another malware framework, CloudWizard, both of which were discovered during an investigation initiated in 2022. The similarities between CommonMagic and CloudWizard are significant, indicating a shared origin or developer. Both use the RC5Simple library for encryption and the RapidJSON library for parsing JSON objects. They also share similar strings in their internet communication modules and have analogous naming conventions for files uploaded to their respective C2 servers. Additionally, victim IDs extracted from both malwares contain a date followed by two identical letters, albeit with slight variations in format. However, there are notable differences in the implants used by each malware: DUREX43 in CloudWizard and Hwo7X8p in CommonMagic. Victims of CommonMagic and CloudWizard are primarily located in areas of conflict in Eastern Europe, particularly those involved in the Ukrainian conflict. These malware frameworks represent an escalation in cyber warfare, using cloud services to conduct sophisticated attacks. The discovery of these interconnected frameworks highlights the increasing complexity and modularity of modern malware, as well as the geopolitical context in which they operate.

Description last updated: 2024-07-08T11:16:27.593Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Powermagic	4	PowerMagic is a sophisticated malware, also known as DBoxShell, that has been linked to a series of advanced persistent threat (APT) activities. This malicious software was identified by Kaspersky researchers who traced its connections to previous APT activities such as Operation Groundbait, the Pri
Cloudwizard	4	CloudWizard is a malicious software (malware) that has been used in advanced persistent threat (APT) campaigns. First reported by Kaspersky in 2023, it has been linked to cyber warfare activities in the Russo-Ukrainian conflict area. The malware operates by infiltrating systems and performing harmfu
Prikormka	2	Prikormka is a type of malware that was used in Operation Groundbait, a cyber threat campaign that took place between 2008 and 2016. The malware is typically deployed through a dropper contained within malicious email attachments and has 13 different components designed to harvest various types of d

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Kaspersky

Apt

Malware

Backdoor

Encryption

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Commonmagic Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securelist	2 months ago	CloudSorcerer APT uses cloud services and GitHub as C2
CERT-EU	8 months ago	Battling the Exploitation of Cloud Services in Global Conflicts
CERT-EU	a year ago	CloudWizard APT: the bad magic story goes on - GIXtools
CERT-EU	a year ago	A Decade of ‘Bad Magic’ In Cyber Espionage
CERT-EU	a year ago	Linux SSH servers targeted by novel ShellBot malware variants
CERT-EU	a year ago	APT trends report Q1 2023
CERT-EU	a year ago	APT trends report Q1 2023 - GIXtools
CERT-EU	a year ago	Bad Magic's Extended Reign in Cyber Espionage Goes Back Over a Decade
CERT-EU	a year ago	Anomali Cyber Watch: CloudWizard Targets Both Sides in Ukraine, Camaro Dragon Trojanized TP-Link Firmware, RA Group Ransomware Copied Babuk
CERT-EU	a year ago	IT threat evolution in Q2 2023 – GIXtools
CERT-EU	a year ago	IT threat evolution Q2 2023
CERT-EU	a year ago	Unknown actors target orgs in Russia-occupied Ukraine
Securityaffairs	a year ago	New Bad Magic APT used CommonMagic framework in the area of Russo-Ukrainian conflict
InfoSecurity-magazine	a year ago	CommonMagic Targets Entities in Russo-Ukrainian Conflict Zone
CERT-EU	a year ago	Ukraine targeted by novel malware attacks
InfoSecurity-magazine	a year ago	CommonMagic Malware Implants Linked to New CloudWizard Framework
DARKReading	a year ago	CommonMagic APT Campaign Broadens Target Scope to Central and Western Ukraine