Commonmagic

Malware Profile Updated 19 days ago
Download STIX
Preview STIX
CommonMagic is a malicious software framework that has been actively used since at least September 2021 to target government, agriculture, and transportation organizations located in the Donetsk, Lugansk, and Crimea regions. It was developed by an APT group linked to the Russo-Ukrainian conflict and operates by infecting systems with various modules for tasks such as traffic encryption and decryption, document theft, and screenshot capturing. This malware communicates with a command-and-control server, which then triggers the infection within the CommonMagic framework. The CommonMagic malware is closely related to another malware framework, CloudWizard, both of which were discovered during an investigation initiated in 2022. The similarities between CommonMagic and CloudWizard are significant, indicating a shared origin or developer. Both use the RC5Simple library for encryption and the RapidJSON library for parsing JSON objects. They also share similar strings in their internet communication modules and have analogous naming conventions for files uploaded to their respective C2 servers. Additionally, victim IDs extracted from both malwares contain a date followed by two identical letters, albeit with slight variations in format. However, there are notable differences in the implants used by each malware: DUREX43 in CloudWizard and Hwo7X8p in CommonMagic. Victims of CommonMagic and CloudWizard are primarily located in areas of conflict in Eastern Europe, particularly those involved in the Ukrainian conflict. These malware frameworks represent an escalation in cyber warfare, using cloud services to conduct sophisticated attacks. The discovery of these interconnected frameworks highlights the increasing complexity and modularity of modern malware, as well as the geopolitical context in which they operate.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Cloudwizard
4
CloudWizard is a sophisticated malware discovered in May 2023, allegedly developed by an unidentified threat actor based in Ukraine. This malicious software has been linked to a broader set of cyber-attacks across the country, marking an evolution from its predecessors by exploiting well-known cloud
Powermagic
4
PowerMagic is a sophisticated malware, also known as DBoxShell, that has been linked to a series of advanced persistent threat (APT) activities. This malicious software was identified by Kaspersky researchers who traced its connections to previous APT activities such as Operation Groundbait, the Pri
Prikormka
2
Prikormka is a type of malware that was used in Operation Groundbait, a cyber threat campaign that took place between 2008 and 2016. The malware is typically deployed through a dropper contained within malicious email attachments and has 13 different components designed to harvest various types of d
Bad Magic
1
Bad Magic, a malicious software (malware), was first reported by Kaspersky in March 2023. The malware is associated with a hacker group known as 'Bad Magic' or 'Red Stinger', which targets companies involved in the Russo-Ukrainian conflict. The group's modus operandi involves the use of a backdoor c
Dboxshell
1
DboxShell is a type of malware that uses cloud storage services as a command and control (C&C) mechanism. It is also known as PowerMagic by Kaspersky. This malicious software infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can dis
Graphshell
1
GraphShell is a malicious software (malware) that has been used in cyber-attacks to exploit and damage computer systems. It was first reported in March 2023 by the cybersecurity firm Bad Magic, which documented its use in attacks targeting Russian-occupied territories of Ukraine. The malware, also k
Hwo7x8p
1
None
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Kaspersky
Backdoor
Malware
Apt
Encryption
Malware Impl...
Espionage
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Commonmagic Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securelist
19 days ago
CloudSorcerer APT uses cloud services and GitHub as C2
CERT-EU
6 months ago
Battling the Exploitation of Cloud Services in Global Conflicts
CERT-EU
a year ago
CloudWizard APT: the bad magic story goes on - GIXtools
CERT-EU
a year ago
A Decade of ‘Bad Magic’ In Cyber Espionage
CERT-EU
a year ago
Linux SSH servers targeted by novel ShellBot malware variants
CERT-EU
a year ago
APT trends report Q1 2023
CERT-EU
a year ago
APT trends report Q1 2023 - GIXtools
CERT-EU
a year ago
Bad Magic's Extended Reign in Cyber Espionage Goes Back Over a Decade
CERT-EU
a year ago
Anomali Cyber Watch: CloudWizard Targets Both Sides in Ukraine, Camaro Dragon Trojanized ​​TP-Link Firmware, RA Group Ransomware Copied Babuk
CERT-EU
a year ago
IT threat evolution in Q2 2023 – GIXtools
CERT-EU
a year ago
IT threat evolution Q2 2023
CERT-EU
a year ago
Unknown actors target orgs in Russia-occupied Ukraine
Securityaffairs
a year ago
New Bad Magic APT used CommonMagic framework in the area of Russo-Ukrainian conflict
InfoSecurity-magazine
a year ago
CommonMagic Targets Entities in Russo-Ukrainian Conflict Zone
CERT-EU
a year ago
Ukraine targeted by novel malware attacks
InfoSecurity-magazine
a year ago
CommonMagic Malware Implants Linked to New CloudWizard Framework
DARKReading
a year ago
CommonMagic APT Campaign Broadens Target Scope to Central and Western Ukraine