The Extension of Bad Magic’s Reign in Cyber ​​Espionage Goes Back for a Decade

May 22, 2023Ravie LakshmananCyber ​​Espionage/Malware

New findings about a hacker group linked to cyber attacks targeting companies in the Russia-Ukraine conflict region reveal that the group may have been around longer than previously thought.

Threat actor, tracked as Bad Magic (aka Red Stinger), is associated not only with a sophisticated new campaign, but also with an activity group that was first revealed in May 2016.

“While previously targets were mainly located in the Donetsk, Luhansk and Crimea regions, their scope has now been expanded to include individuals, diplomatic entities and research organizations in Western and Central Ukraine,” Russian cybersecurity firm Kaspersky said in a technical report published last week.

The campaign was characterized by the use of a new modular framework codenamed CloudWizard, featuring the ability to take screenshots, record microphones, log keystrokes, retrieve passwords, and harvest Gmail inboxes.

Bad Magic was first documented by the company in March 2023, detailing the use of a group of backdoors called PowerMagic (aka DBoxShell or GraphShell) and a modular framework dubbed CommonMagic in attacks targeting Russian-occupied Ukraine.

Then earlier this month, Malwarebytes disclosed at least five waves of espionage attacks carried out by the group since December 2020.

Deeper insights shared by Kaspersky link Bad Magic to past activity based on a sweep of historical telemetry data, enabling the company to identify various artifacts associated with the CloudWizard framework from 2017 to 2020.

The early access vector used to remove the first stage installer is currently unknown. That said, the malware is configured to drop a Windows service (“syncobjsup.dll”) and a second file (“mods.lrc”), which, in turn, contains three different modules for harvesting and extracting sensitive data.

Information is transmitted in encrypted form to an actor-controlled cloud storage endpoint (OneDrive, Dropbox or Google Drive). The web server is used as a fallback mechanism if no service is accessible.

Kaspersky said it identified overlapping source code between an older version of CloudWizard and another piece of malware known as Prikormka, which Slovak cybersecurity firm ESET discovered in 2016.

Image Source: ESET

Espionage campaign, monitored by ESET under the moniker Feed operationnotably voting for anti-government separatists in Donetsk and Luhansk as well as Ukrainian government officials, politicians and journalists.

Prikormka is spread via a dropper contained in a malicious email attachment and features 13 different components to harvest various types of data from compromised machines. Evidence gathered by ESET indicates that the malware has been used selectively since at least 2008.

CloudWizard also shows similarities to a related intrusion set called BugDrop disclosed by CyberX (which has been acquired by Microsoft) in 2017, with the industrial cybersecurity firm describing it as more advanced than Groundbait.

Similarities have also been unearthed between CloudWizard and CommonMagic, including overlapping victimology and source code, indicating that the threat actor has been repeatedly tinkering with its malware arsenal and infecting targets for approximately 15 years.

Recent developments, in linking the CloudWizard framework to the actors behind Operation Groundbait and Operation BugDrop, provide another piece of the puzzle hoping to unravel the bigger picture of the mysterious group’s origins.

“The threat actors responsible for this operation have demonstrated a persistent and ongoing commitment to cyber espionage, constantly improving their tools and targeting organizations of interest for over 15 years,” Kaspersky researcher Georgy Kucherin said.

“Geopolitical factors continue to be a significant motivator for APT attacks and given the existing tensions in the Russian-Ukrainian conflict area, we anticipate that this actor will remain with its operations for the foreseeable future.”