Woburn, MA – May 19, 2023 – Kaspersky researchers have provided further details on the CommonMagic campaign, which was first observed in March targeting companies in the Russo-Ukrainian conflict area. The new research reveals more sophisticated malicious activities from the same threat actor. The investigation identified that the newly-discovered framework has expanded its victimology to include organizations in Central and Western Ukraine. Kaspersky experts have also linked the unknown actor to previous APT campaigns, such as Operation BugDrop and Operation Groundbai (Prikormka).
In March 2023, Kaspersky reported a new APT campaign in the Russo-Ukrainian conflict area. This campaign, named CommonMagic, utilizes PowerMagic and CommonMagic implants to conduct espionage activities. Active since September 2021, it employs a previously unidentified malware to collect data from targeted entities. Although the threat actor responsible for this attack remained unknown at the time, Kaspersky experts have persisted with their investigation, tracing the unknown activity back to forgotten campaigns in order to gather further insights.
The recently uncovered campaign utilized a modular framework called CloudWizard. Kaspersky’s research identified a total of 9 modules within this framework, each responsible for distinct malicious activities such as gathering files, keylogging, capturing screenshots, recording microphone input, and stealing passwords. Notably, one of the modules focuses on exfiltrating data from Gmail accounts. By extracting Gmail cookies from browser databases, this module can access and smuggle activity logs, contact lists, and all email messages associated with the targeted accounts.
Furthermore, the researchers have uncovered an expanded victim distribution in the campaign. While the previous targets were primarily located in the Donetsk, Luhansk, and Crimea regions, the scope has now widened to include individuals, diplomatic entities, and research organizations in Western and Central Ukraine.
After extensive research into CloudWizard, Kaspersky experts have made significant progress in attributing it to a known threat actor. They have observed notable similarities between CloudWizard and two previously documented campaigns: Operation Groundbait and Operation BugDrop. These similarities include code similarities, file naming and listing patterns, hosting by Ukrainian hosting services, and shared victim profiles in Western and Central Ukraine, as well as the conflict area in Eastern Europe.
Moreover, CloudWizard also exhibits resemblances to the recently reported campaign CommonMagic. Some sections of the code are identical, they employ the same encryption library, follow a similar file naming format, and share victim locations within the Eastern European conflict area.
Based on these findings, Kaspersky experts have concluded that the malicious campaigns of Prikormka, Operation Groundbait, Operation BugDrop, CommonMagic, and CloudWizard may all be attributed to the same active threat actor.
“The threat actor responsible for these operations has demonstrated a persistent and ongoing commitment to cyberespionage, continuously enhancing their toolset and targeting organizations of interest for over fifteen years,” said Georgy Kucherin, security researcher at Kaspersky’s Global Research and Analysis Team. “Geopolitical factors continue to be a significant motivator for APT attacks and, given the prevailing tension in the Russo-Ukrainian conflict area, we anticipate that this actor will persist with its operations for the foreseeable future.”
Read the full report about the CloudWizard campaign on Securelist.
In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures: