New threat actor on the cyber-scene in Ukraine, says analyst

A previously unidentified partisan group is believed to be using new malware programs to phish for details of targets in disputed Russian-held areas of Ukraine.
Called CommonMagic and PowerMagic, the tools are also believed by analyst SecureList to be new malicious programs.
What isn’t clear from the SecureList report is whether the targets of the campaign, and indeed its perpetrators, are for or against Russia’s occupation of Ukrainian territories, including the disputed breakaway republics of Luhansk and Donetsk.
SecureList is an affiliate of Kaspersky, which has come under fire for alleged ties to the Kremlin.
The analyst claims to have observed since October “an active infection of government, agriculture and transportation organizations located in the Donetsk, Luhansk, and Crimea regions.”
It added: “Although the initial vector of compromise is unclear, the details of the next stage imply the use of spear-phishing or similar methods.”
Spear-phishing is a targeted version of phishing aimed at specific individuals or entities, rather than relying on scattershot spamming techniques.
Victims are steered via social engineering methods, essentially a means of duping or conning a target over the internet, to a URL that points to a compressed ZIP archive containing a decoy document and a malicious file that infects a computer when opened.
The decoy Word document examined by SecureList is written in Russian and purports to cover the results of the “State Duma elections in the Republic of Crimea” – the territory annexed by Russia in 2014 and widely regarded as the precursor to its subsequent invasion of Ukraine last year.
Another document called out as a fake by SecureList claims to be from the Finance Ministry of the Democratic People’s Republic of Donetsk – which the international community says is a territory of Ukraine illegally occupied by Russia.
“When the potential victim activates the file included in the ZIP, it triggers a chain of events that lead to the infection of the computer with a previously unseen malicious framework that we named CommonMagic,” said SecureList.
“The malware and techniques used in this campaign are not particularly sophisticated, but are effective, and the code has no direct relation to any known campaigns.”
Another new type of malware spotted by the cybersecurity analyst is a backdoor program enabling covert access to a targeted machine, which it dubbed PowerMagic. This in turn enables the threat actor to hijack a computer from a remote location known as a “command and control server.”
SecureList says that to date it has found “no direct links” between its own findings and “any previously known [threat] actors” but stresses that “the campaign is still active.”