Black Magic APT Targets Ukraine with CommonMagic and PowerMagic

The attack chain

• Bad Magic mostly likely uses spear-phishing messages with booby-trapped URLs to deliver a malicious ZIP archive hosted on an attacker-controlled web server.
• The archive contains a decoy document and a malicious LNK file with a double extension. 
• The LNK file starts the infection and culminates in the deployment of a backdoor, named PowerMagic, which is written in PowerShell.
• The backdoor establishes a connection with a remote server and receives arbitrary commands that are executed on the infected machine.
• Subsequently, the results are uploaded to public cloud services such as Dropbox and Microsoft OneDrive, and OAuth refresh tokens are used as credentials.

Deployment of CommonMagic via PowerMagic

• PowerMagic acts as a medium to deliver the CommonMagic framework that contains a set of several executable modules.
• These modules are capable of interacting with the C2 server, encrypting and decrypting C2 traffic, and executing plugins (Screenshot and USB).
• The Screenshot plugin (S[.]exe) captures screenshots every three seconds using the GDI API and the USB plugin U[.]exe gathers files of interest from connected USB devices.

Wrapping up