The CommonMagic malware implant has been associated with a previously unknown advanced persistent threat campaign linked to the Russo-Ukrainian conflict and relies on a new modular framework.
Dubbed “CloudWizard,” the framework was discovered by security researchers at Kaspersky, who described it in an advisory published today.
Leonid Bezvershenko, Georgy Kucherin and Igor Kuznetsov highlighted that sections of the CloudWizard code were identical to CommonMagic as they employed the same encryption library, followed a similar file naming format and shared victim locations.
The same active threat actor is also believed to be responsible for the malicious campaigns known as Operation Groundbait and Operation BugDrop.
The researchers said CloudWizard victims were not limited to the Donetsk, Lugansk and Crimea regions of Ukraine but also included central and western areas. The targets encompassed individuals, diplomatic entities and research organizations.
CloudWizard offers nine modules, collectively delivering various hacking capabilities, including file gathering, keylogging, screenshot capture, microphone input recording and password theft. It can also extract Gmail cookies from browser databases and then access and smuggle activity logs, contact lists and all email messages associated with the targeted accounts.
“The threat actor responsible for these operations has demonstrated a persistent and ongoing commitment to cyber-espionage, continuously enhancing their toolset and targeting organizations of interest for over fifteen years,” Kucherin said, commenting on the findings.
“Geopolitical factors continue to be a significant motivator for APT attacks and, given the prevailing tension in the Russo-Ukrainian conflict area, we anticipate that this actor will persist with its operations for the foreseeable future.”
The Kaspersky report comes a couple of months after the Russian government announced that officials would no longer be able to use messaging apps developed and run by foreign companies allegedly in a bid to minimize the chance of sensitive information reaching Ukraine’s allies.