Threat Research

Bad magic: new APT found in the area of Russo-Ukrainian conflict

Securonix

Bad Magic is a Russo-Ukrainian conflict–related APT campaign delivering a modular malware stack starting with a ZIP delivered via a phishing-like lure, then a malicious LNK that leads to an MSI dropper. The operation unfolds as PowerShell-based loaders and a PowerMagic backdoor, with a cloud-based C2 channel using OneDrive/Dropbox, and a follow-on CommonMagic framework for modular tasks. #PowerMagic #CommonMagic #BadMagicAPT #OneDrive #MicrosoftGraphAPI #PowerShell #Msiexec #webservice-srv.online #webservice-srv1.online #185.166.217.184 #Donetsk #Lugansk #Crimea

Keypoints

  • Active cyber operations tied to the Russo-Ukrainian conflict have been observed targeting government, agriculture, and transportation sectors in Donetsk, Lugansk, and Crimea.
  • The initial compromise likely involved spearphishing or similar methods, leading victims to a ZIP archive hosted on a malicious server containing a decoy document and a double-extension LNK file.
  • Opening the LNK in the archive triggers infection via a Windows MSI dropper that downloads and runs a next-stage payload (service_pack.dat) and a decoy document.
  • The dropper decrypts the next stage with a multi-step XOR process, executes a PowerShell-based loader, and then cleans up disk artifacts.
  • The main PowerMagic backdoor uses a mutex (WinEventCom), runs commands via PowerShell, and communicates with C2 through cloud storage (OneDrive/Dropbox) using the Microsoft Graph API and OAuth tokens.
  • A modular framework named CommonMagic is deployed after PowerMagic, featuring multiple executable modules, named pipes, and plugins (e.g., Screenshot and USB data collection) to expand capabilities.

MITRE Techniques

  • [T1566.002] Phishing: Spearphishing Link – The victims navigated to a URL pointing to a ZIP archive hosted on a malicious web server. The archive, in turn, contained two files: “The victims navigated to a URL pointing to a ZIP archive hosted on a malicious web server. The archive, in turn, contained two files:”
  • [T1204.002] User Execution: Malicious File – a malicious LNK file with a double extension (e.g., .pdf.lnk) that leads to infection when opened. “a malicious LNK file with a double extension (e.g., .pdf.lnk) that leads to infection when opened”
  • [T1218.005] Signed Binary Proxy Execution: Msiexec – The MSI file is downloaded and started by the Windows Installer executable. “The MSI file is effectively a dropper package, containing an encrypted next-stage payload (service_pack.dat), a dropper script (runservice_pack.vbs) and a decoy document that is supposed to be displayed to the victim.”
  • [T1027] Obfuscated/Encrypted Files and Information – Decryption of service_pack.dat using a multi-step XOR routine before execution. “The decrypted payload is obtained by decrypting service_pack.dat via an XOR-based scheme.”
  • [T1059.001] Command and Scripting Interpreter: PowerShell – The dropper’s embedded PowerShell decrypts and runs the next stage. “a wrapper for launching an embedded PowerShell script that decrypts the next stage using a simple one-byte XOR, launches it and deletes it from disk.”
  • [T1053.005] Scheduled Task – Creation of a daily Task Scheduler job WindowsActiveXTaskTrigger to execute the VBS launcher. “creates a Task Scheduler job named WindowsActiveXTaskTrigger, to execute the
    • [T1071.001] Web Protocols – C2 over cloud storage via OneDrive/Graph API for command and control. “The framework uses OneDrive remote folders as a transport. It utilizes the Microsoft Graph API using an OAuth refresh token embedded into the module binary for authentication.”
    • [T1071.004] Web Protocols: Cloud Storage – Data exchange with the operator through cloud services (OneDrive/Dropbox) and RC5Simple-based encryption. “The data exchanged with the operator via the OneDrive location is encrypted using the RC5Simple open-source library.”

Indicators of Compromise

  • [Domain] webservice-srv.online, webservice-srv1.online – domains hosting ZIP archives used in the initial delivery
  • [IP] 185.166.217.184 – host for the MSI attachment used in the dropper (URL shown in the article)
  • [MD5] 0a95a985e6be0918fdb4bfabf0847b5a, ecb7af5771f4fe36a3065dc4d5516d84, and 2 more hashes – MD5 hashes of lure archives
  • [File name] attachment.msi, service_pack.dat, manutil.vbs – core artifacts in the PowerMagic dropper and loader chain
  • [Mutex] WinEventCom – mutex created by the backdoor
  • [URL] http://185.166.217.184/CFVJKXIUPHESRHUSE4FHUREHUIFERAY97A4FXA/attachment.msi, https://content.dropboxapi.com/2/files/upload, https://content.dropboxapi.com/2/files/download – C2 and dropper components
  • [Path] %APPDATA%WinEventCom – directory used to store payloads and scripts

Read more: https://securelist.com/bad-magic-apt/109087/