In recent weeks, reports have surfaced of attacks carried out by an advanced threat actor using a previously unknown malicious framework, CommonMagic, and a new backdoor, PowerMagic.
At least one malware piece has been used as part of operations since September 2021, which is believed to be the case.
As a result, this type of malware continues to be developed, and it continues to target organizations in the administrative, agricultural, and transportation sectors for the purpose of espionage.
The malicious LNK contains a link to a malicious MSI file hosted remotely, downloaded, and started by the Windows Installer executable when it is run.
Essentially, the MSI file is a dropper package that contains a decoy document that is supposed to display to the victim, combined with an encrypted next-stage payload (service-pack.dat), a dropper script (runservice-pack.vbs), and the payload itself.
After the decoy document is displayed to the user, the next stage script creates a Task Scheduler job, WindowsActiveXTaskTrigger, which executes the script[.]exe%APPDATA%/WinEventCom/manutill[.]vbs command every day, writes two files named config and manutill[.]vbs to %APPDATA%/WinEventCom.
In the initial package, the script manutill[.]vbs is dropped by default and is a loader written in PowerShell for a previously unknown backdoor named PowerMagic.
The main body of the backdoor is contained in the file %APPDATA%/WinEventCom/config, which is then decrypted using a simple XOR algorithm.
As soon as the backdoor is started, it creates a mutex – WinEventCom – used for communication.
Following this, it enters an infinite loop in which it communicates with its C&C server, receiving commands and uploading the results in response to those commands.
In addition to PowerMagic, the actor used a number of other malicious toolkits to conduct his criminal activity. In addition to PowerMagic, every victim of PowerMagic was also infected with another malicious framework that is more complicated, previously unknown, and modular, named CommonMagic.
Several executable modules are part of the CommonMagic framework, all located in the directory C:\ProgramData\CommonCommand. Each module runs as a standalone executable file and communicates with each other through named pipes.
Hiding Under Ordinary Tactics
CommonMagic attacks use a number of methods that are neither complex nor innovative. Multiple threat actors have been observed to have engaged in an infection chain that entails malicious LNK files in ZIP archives as part of an infection chain.
On the other hand, Cisco Talos reported that a threat actor similar to CommonMagic’s technique was YoroTrooper, which used phishing emails containing malicious LNK files and decoy PDF files encased in ZIP or RAR archives to conduct cyber espionage.
The hackers could make it impossible at this point to connect with other campaigns by combining unsophisticated techniques used by multiple actors with original malicious code that had never been seen before.
While the CommonMagic appears to have been active since 2021, the adversary intensified its efforts last year and continues to be active today.