A new article reports that an advanced threat actor has been discovered using a previously unseen malicious framework called CommonMagic and a new backdoor called PowerMagic. The malware pieces have been used in operations since at least September 2021 and continue to target organizations in the administrative, agriculture, and transportation sectors for espionage purposes. Once inside the victim network, the attackers use separate plugins to steal documents and files from USB devices and take screenshots every three seconds using the Windows Graphics Device Interface (GDI) API.
The researchers believe that the initial infection vector is spear phishing or a similar method to deliver a URL pointing to a ZIP archive with a malicious LNK file. Despite the non-customary approach, the CommonMagic method has proven to be successful, and the adversary continues to be active today. The limited victimology and Russian-Ukrainian conflict-themed lures suggest that the attackers likely have a specific interest in the geopolitical situation in that region.