Be the first to receive the Cloud Threats Memo directly in your inbox by subscribing here.
Legitimate cloud storage services are increasingly being exploited for cyber espionage, so the discovery of a similar operation in the context of the Russian invasion of Ukraine was just a matter of time.
The discovery came from security researchers at Kaspersky, who identified an active campaign carried out by an advanced threat actor and ongoing since at least September 2021, targeting government, agriculture, and transportation organizations located in the Donetsk, Lugansk, and Crimea regions, and characterized by the use of a previously unseen malicious framework called CommonMagic and a new backdoor called PowerMagic.
Even though not all the details of the campaign are clear, especially in terms of the initial vector of compromise, it looks like the attackers breached the victims via spear phishing or similar methods delivering a decoy document and a malicious LNK file, whose name is directly related to the content of the decoy document.
In particular the decoy document, when opened, triggers a chain of events that lead to the final infection with the PowerMagic backdoor and the CommonMagic malicious framework. Following a consolidated trend among advanced threat actors, the PowerMagic backdoor uses two legitimate cloud storage services, OneDrive and Dropbox, as its command and control (C&C) server, receiving commands and uploading results in response. The exploitation of a legitimate cloud service as the C&C server allows the malicious traffic to hide, providing the attackers with a resilient and easy to manage infrastructure, which explains why similar operations are increasingly common.
How Netskope mitigates the risk of legitimate cloud services exploited for the C&C infrastructure
Dropbox and OneDrive are among the thousands of services where the Netskope Next Gen SWG can provide granular access control, threat protection, and DLP capabilities and also among the hundreds of services for which instance detectio