Trojan uses “magic” code to infect organizations around globe

A trojan that uses an authentication code to communicate with its command-and-control (C&C) server has tainted thousands of organizations around the globe, primarily companies in the U.K.

Seculert, an Israel-based advanced threat detection firm, posted the findings Wednesday about malware called “Magic” on its blog.

The company discovered that the backdoor – capable of setting up a backdoor to download additional malware, steal data and inject HTML into users' browsers – had remained undetected on victims' machines for the past 11 months.

But so far, some of the malicious capabilities of Magic haven't been used – such as installing more advanced malware – leading researchers to believe that attackers merely are in a reconnaissance phase, but potentially setting the stage for a “much broader attack,” the blog post said.

The malware's name was derived from a “magic code” (see screen shot) that is entered at the beginning of all command-and-control communications sent from infected machines to the server. The step helps attackers confirm that instructions they receive are, in fact, from an infected machine in the botnet.

Aviv Raff, CTO and co-founder of Seculert, said  the number of targeted organizations is fewer than 5,000. Seventy-eight percent of those targeted by the threat have been in the U.K., while a much smaller portion of attacks have occurred in several other countries, including the United States, Italy and Germany.

Enterprises in the finance, education and telecommunications sectors appear to be the top target for attackers, Raff told in a Wednesday interview.

“They are still monitoring the activities of their victims, so they are doing reconnaissance now,” Raff said.  “Because [Magic] has been downloading additional malware, we believe it is just part of the campaign. What they will probably do next is download some module that removes all recent [evidence] of attacks so no one will be able to see what they have done.”

Raff added that while he couldn't confirm the exact infection method used by the group, it appears attackers may have used popular tactics, like spear phishing, which are weaponized emails crafted for specific targets at an organization, or via drive-by download, in which users' machines are compromised simply by visiting a malicious web page

In a follow-up email, Raff highlighted attackers' ability to decipher that "only a real infected machine is communicating with the [C&C] server," via the "magic" code. 

Saboteurs have used varied methods to authenticate C&C communications in other campaigns. For example, last month, Kaspersky researchers released a report on cyber espionage malware, called “MiniDuke,” which hit 59 organizations in 23 countries since 2012.

The malware verified its C2 communications by using Twitter to find tweets with encrypted URLs. The tweets were sent from accounts set up by MiniDuke operators. The malware was also capable of using Google search as a backup method of finding the encrypted domains, if they weren't located through Twitter.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.