Where data is home
Where Data is Home
Preventing Ransomware Attacks
CybersecurityDigital Hygiene

Hackers Target Administrative Organizations With Powermagic And Commonmagic Malware

By Editor
0 28

Administrative organizations are facing a growing threat from hackers who employ PowerMagic and CommonMagic malware. The infection chain begins with a malicious LNK file that contains a link to a malicious MSI file. This MSI file acts as a dropper package, housing a decoy document and an encrypted payload. These are stored in the %APPDATA%/WinEventCom folder. A Task Scheduler job named WindowsActiveXTaskTrigger runs a script daily, creating files called config and manutill[.]vbs in the %APPDATA%/WinEventCom folder. The manutill[.]vbs script functions as a loader for the PowerMagic backdoor, while the config file holds the main body of the backdoor. Through communication with a command and control (CC) server, the backdoor executes commands and uploads results. Additionally, hackers employ the more intricate and adaptable CommonMagic framework as part of their infection chain. This framework relies on simple methods to carry out attacks. The CommonMagic framework, reported by Cisco Talos, poses an ongoing and persistent threat to administrative organizations.

Key Takeaways

  • Hackers are using PowerMagic and CommonMagic malware to target administrative organizations.
  • The infection chain involves malicious LNK files, dropper packages, and decoy documents.
  • PowerMagic is a backdoor that communicates with a command and control server, while CommonMagic is a more complex and modular framework.
  • CommonMagic attacks use simple methods but combine them with original code, and the activity of CommonMagic has been reported by Cisco Talos.

Infection Chain

The infection chain of the PowerMagic and CommonMagic malware involves the use of malicious LNK files containing links to malicious MSI files, which act as dropper packages with decoy documents and encrypted payloads. These files are stored in the %APPDATA%/WinEventCom folder. The decoy documents serve as a cover, while the encrypted payloads contain the actual malicious code. Additionally, a Task Scheduler job named WindowsActiveXTaskTrigger is responsible for executing a script on a daily basis. This script is used to further carry out the malicious activities of the malware. By following this infection chain, the attackers are able to gain access to the targeted administrative organizations and carry out their malicious objectives.

PowerMagic Backdoor

Developed as a covert tool, the PowerMagic Backdoor stealthily establishes communication channels and executes commands, posing a significant threat to the security of sensitive systems. This backdoor is loaded by the script manutill[.]vbs and its main body is located in the file %APPDATA%/WinEventCom/config. It creates a mutex named WinEventCom for communication purposes and interacts with a command and control (CC) server to receive and execute commands. The results of these commands are then uploaded in response. Countermeasures against the PowerMagic Backdoor include implementing strong access controls to prevent unauthorized access, regularly updating and patching software to address vulnerabilities, using intrusion detection systems to detect and block malicious activity, and conducting regular security audits and assessments to identify and address any potential weaknesses in the system.

CommonMagic Framework

Characterized by its complexity, the CommonMagic framework serves as a modular and enigmatic tool employed by threat actors to execute sophisticated cyber attacks. This framework, which is part of the infection chain, poses significant challenges for defenders due to its unknown nature. CommonMagic consists of executable modules located in the C:ProgramDataCommonCommand directory and utilizes inter-module communication through named pipes. These features make it difficult to detect and analyze. To protect against CommonMagic attacks, organizations should implement robust security measures. This includes regularly updating antivirus software, conducting security awareness training for employees, and implementing network segmentation. Additionally, organizations should employ advanced threat detection and response solutions, such as intrusion detection systems and behavior-based analytics, to identify and mitigate CommonMagic framework vulnerabilities.

Hiding Tactics

Utilizing conventional methods combined with original code, threat actors employ unsophisticated techniques to conceal their activities and evade detection. CommonMagic attacks rely on simple and non-innovative tactics, such as phishing emails and decoy PDF files, to initiate the infection chain. This allows the hackers to bypass traditional security measures and infiltrate administrative organizations. To counter these evasion techniques, organizations need to implement robust countermeasures against CommonMagic. This includes implementing advanced threat detection systems that can identify and analyze the behavior of the malware. Additionally, organizations should regularly update their security protocols and educate employees about the potential risks associated with phishing emails and malicious attachments. By staying vigilant and proactive, organizations can mitigate the threat posed by CommonMagic and protect their sensitive data from unauthorized access.

CommonMagic Activity

Reported by Cisco Talos, the activity of the CommonMagic framework has been observed since 2021, indicating a persistent and ongoing threat. CommonMagic is being used by hackers to target administrative organizations. The impact of CommonMagic on these targeted organizations is significant and poses a serious risk to their security. Hackers employ various techniques to distribute the CommonMagic malware, including the use of phishing emails and decoy PDF files. These unsophisticated methods, combined with original code, allow the threat actors to successfully infiltrate and compromise the targeted organizations. CommonMagic’s modular and complex nature makes it difficult to detect and mitigate. It communicates through named pipes and utilizes executable modules located in C:ProgramDataCommonCommand. The ongoing activity of CommonMagic underscores the need for robust cybersecurity measures to protect against this persistent threat.

Frequently Asked Questions

How does the malicious LNK file infect the administrative organizations?

Administrative organizations can protect themselves from LNK file infections by implementing strong security measures such as regular software updates, robust antivirus software, user education on phishing techniques, and network segmentation. Common indicators of a LNK file infection in administrative organizations include unusual system behavior, unexpected file modifications, and the presence of unfamiliar files or processes.

What is the purpose of the manutill[.]vbs script in the PowerMagic backdoor?

The manutill[.]vbs script in the PowerMagic backdoor enables persistence and executes commands on the compromised system. It maintains persistence by acting as a loader for the backdoor and creating a mutex for communication. It can execute various commands as instructed by the command and control server.

How does the CommonMagic framework communicate between its executable modules?

The potential risks and consequences of using the CommonMagic framework include increased vulnerability to cyberattacks, compromise of sensitive data, and potential financial and reputational damage to organizations. Organizations can protect themselves from CommonMagic and PowerMagic malware attacks by implementing robust cybersecurity measures, such as regularly updating software, using strong passwords, conducting regular security audits, and educating employees about phishing and other common attack vectors.

What are some specific unsophisticated techniques used by CommonMagic attacks?

Unsophisticated techniques employed by CommonMagic attacks include the use of simple and non-innovative methods, such as phishing emails and decoy PDF files. These attacks combine unsophisticated techniques with original code to target administrative organizations.

How long has CommonMagic been active and what type of organizations does it target?

CommonMagic has been active since 2021 and poses a persistent threat to administrative organizations. It is a growing threat that has intensified its efforts in the past year. Cisco Talos has reported on CommonMagic’s activity. (35 words)

Continue Reading
Editor 1200 posts 0 comments
Das könnte dir auch gefallen Mehr vom Autor
Hinterlasse eine Antwort

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More