Friday, March 29, 2024
HomeSECURITYUnknown hackers spy in the DPR, LPR and Crimea using a previously...

Unknown hackers spy in the DPR, LPR and Crimea using a previously unexplored backdoor

-


Unknown hackers spy in the DPR, LPR and Crimea using a previously unexplored backdoor

The spy campaign is notable for the way in which stolen files are sent.

Kaspersky Lab specialists declared that a cyber-espionage campaign has been launched in the DPR, LPR and Crimea since 2021, targeting government, agricultural and transport organizations.

According to report Kaspersky Labs, in this campaign, hackers use CommonMagic and PowerMagic malware, which allow you to take screenshots of the screen and steal files from connected media, sending them to attackers in the cloud.

Presumably, the attack begins with the distribution of phishing emails on behalf of government organizations. When clicking on the link in the email, the victim downloads a malicious ZIP archive containing 2 files:

  1. a harmless decoy document (in PDF, XLSX, or DOCX format);
  2. a malicious LNK file with a double extension (for example, “.pdf.lnk”).

When the shortcut is opened, the PowerMagic backdoor is delivered to the device. It receives commands from a remote folder located in the public cloud, executes them, and then uploads the results of executing files back to the cloud.




A decoy PDF document with a link to a malicious shortcut

PowerMagic establishes persistence in the system and remains in it even after rebooting the device. PowerMagic is also used to deploy the CommonMagic framework, which consists of several modules. CommonMagic can steal files from USB devices, as well as take screenshots every 3 seconds and send them to cybercriminals.

“We are following this campaign. What is remarkable in it is not malware and technology – they are not the most ingenious – but the fact that as a command and control infrastructure (C2, C&C) uses cloud storage. We will continue to investigate this threat and hopefully be able to share more about CommonMagic later,” said Leonid Bezvershenko, cybersecurity expert at Kaspersky Lab.



Source link

www.securitylab.ru

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular