![]() The exploitation of a legitimate cloud service as the C&C server allows the malicious traffic to hide, providing the attackers with a resilient and easy to manage infrastructure, which explains why similar operations are increasingly common. Following a consolidated trend among advanced threat actors, the PowerMagic backdoor uses two legitimate cloud storage services, OneDrive and Dropbox, as its command and control (C&C) server, receiving commands and uploading results in response. ![]() In particular the decoy document, when opened, triggers a chain of events that lead to the final infection with the PowerMagic backdoor and the CommonMagic malicious framework. The discovery came from security researchers at Kaspersky, who identified an active campaign carried out by an advanced threat actor and ongoing since at least September 2021, targeting government, agriculture, and transportation organizations located in the Donetsk, Lugansk, and Crimea regions, and characterized by the use of a previously unseen malicious framework called CommonMagic and a new backdoor called PowerMagic.Įven though not all the details of the campaign are clear, especially in terms of the initial vector of compromise, it looks like the attackers breached the victims via spear phishing or similar methods delivering a decoy document and a malicious LNK file, whose name is directly related to the content of the decoy document. Legitimate cloud storage services are increasingly being exploited for cyber espionage, so the discovery of a similar operation in the context of the Russian invasion of Ukraine was just a matter of time. Be the first to receive the Cloud Threats Memo directly in your inbox by subscribing here.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |