CommonMagic APT Marketing campaign Broadens Goal Scope to Central and Western Ukraine

[ad_1]

Woburn, MA – Could 19, 2023 – Kaspersky researchers have supplied additional particulars on the CommonMagic marketing campaign, which was first noticed in March concentrating on firms within the Russo-Ukrainian battle space. The brand new analysis reveals extra refined malicious actions from the identical menace actor. The investigation recognized that the newly-discovered framework has expanded its victimology to incorporate organizations in Central and Western Ukraine. Kaspersky consultants have additionally linked the unknown actor to earlier APT campaigns, resembling Operation BugDrop and Operation Groundbai (Prikormka).

In March 2023, Kaspersky reported a brand new APT marketing campaign within the Russo-Ukrainian battle space. This marketing campaign, named CommonMagic, makes use of PowerMagic and CommonMagic implants to conduct espionage actions. Energetic since September 2021, it employs a beforehand unidentified malware to gather knowledge from focused entities. Though the menace actor chargeable for this assault remained unknown on the time, Kaspersky consultants have persevered with their investigation, tracing the unknown exercise again to forgotten campaigns to be able to collect additional insights.

The not too long ago uncovered marketing campaign utilized a modular framework known as CloudWizard. Kaspersky’s analysis recognized a complete of 9 modules inside this framework, every chargeable for distinct malicious actions resembling gathering recordsdata, keylogging, capturing screenshots, recording microphone enter, and stealing passwords. Notably, one of many modules focuses on exfiltrating knowledge from Gmail accounts. By extracting Gmail cookies from browser databases, this module can entry and smuggle exercise logs, contact lists, and all e-mail messages related to the focused accounts.

Moreover, the researchers have uncovered an expanded sufferer distribution within the marketing campaign. Whereas the earlier targets have been primarily positioned within the Donetsk, Luhansk, and Crimea areas, the scope has now widened to incorporate people, diplomatic entities, and analysis organizations in Western and Central Ukraine.

After intensive analysis into CloudWizard, Kaspersky consultants have made important progress in attributing it to a identified menace actor. They’ve noticed notable similarities between CloudWizard and two beforehand documented campaigns: Operation Groundbait and Operation BugDrop. These similarities embody code similarities, file naming and itemizing patterns, internet hosting by Ukrainian internet hosting providers, and shared sufferer profiles in Western and Central Ukraine, in addition to the battle space in Japanese Europe.

Furthermore, CloudWizard additionally displays resemblances to the not too long ago reported marketing campaign CommonMagic. Some sections of the code are an identical, they make use of the identical encryption library, observe an identical file naming format, and share sufferer places throughout the Japanese European battle space.

Based mostly on these findings, Kaspersky consultants have concluded that the malicious campaigns of Prikormka, Operation Groundbait, Operation BugDrop, CommonMagic, and CloudWizard might all be attributed to the identical lively menace actor.  

“The menace actor chargeable for these operations has demonstrated a persistent and ongoing dedication to cyberespionage, repeatedly enhancing their toolset and concentrating on organizations of curiosity for over fifteen years,” mentioned Georgy Kucherin, safety researcher at Kaspersky’s International Analysis and Evaluation Staff. “Geopolitical elements proceed to be a major motivator for APT assaults and, given the prevailing rigidity within the Russo-Ukrainian battle space, we anticipate that this actor will stick with its operations for the foreseeable future.”

Learn the complete report concerning the CloudWizard marketing campaign on Securelist.

With the intention to keep away from falling sufferer to a focused assault by a identified or unknown menace actor, Kaspersky researchers advocate implementing the next measures:

  • Present your SOC group with entry to the newest menace intelligence (TI). The Kaspersky Menace Intelligence Portal is a single level of entry for the corporate’s TI, offering it with cyberattack knowledge and insights gathered by Kaspersky spanning over 20 years.
  • Upskill your cybersecurity group to sort out the newest focused threats with Kaspersky on-line coaching developed by GReAT consultants
  • For endpoint stage detection, investigation, and well timed remediation of incidents, implement EDR options resembling Kaspersky Endpoint Detection and Response
  • Along with adopting important endpoint safety, implement a corporate-grade safety resolution that detects superior threats on the community stage at an early stage, resembling Kaspersky Anti Focused Assault Platform
  • As many focused assaults begin with phishing or different social engineering strategies, introduce safety consciousness coaching and train sensible expertise to your group – for instance, by way of the Kaspersky Automated Safety Consciousness Platform

[ad_2]

Leave a Comment

Your email address will not be published. Required fields are marked *