⚠️ Overview

CommonMagic is a remote access trojan (RAT) first documented by Palo Alto Networks Unit 42 in November 2021, attributed to the Chinese state‑sponsored threat group tracked as TA428. It is categorized as a reconnaissance and exfiltration backdoor, typically delivered via spear‑phishing emails containing malicious Office documents that exploit CVE‑2017‑11882 (Equation Editor vulnerability). The malware is designed to establish persistent command‑and‑control (C2) communications over HTTPS, primarily targeting telecommunications, government, and energy sectors in Southeast Asia.

🔧 Technical Capabilities

CommonMagic propagates through initial email attachments that drop a staged downloader, which then fetches the final payload from a remote server using hardcoded IP addresses. The backdoor supports keylogging, clipboard monitoring, file enumeration, and directory traversal, exfiltrating data via HTTP POST requests to C2 servers that mimic legitimate cloud services. Persistence is achieved through a scheduled task named MicrosoftUpdateSync that runs every 15 minutes. Evasion techniques include API unhooking of user‑land hooks, dynamic resolution of API calls to avoid static detection, and use of IP‑over‑DNS tunneling (via TXT queries) as a secondary fallback channel. The malware also employs a custom RC4 encryption variant for inter‑component communication and encrypts its configuration block with a hardcoded 16‑byte key.

📜 History & Notable Incidents

CommonMagic first appeared in widespread campaigns beginning in mid‑2020, with active operations peaking in early 2022. A May 2022 campaign attributed to TA428 targeted a major Vietnamese telecommunications provider, exfiltrating customer database schemas and employee credentials. No CVEs are directly associated with the malware itself, but it frequently exploits CVE‑2017‑11882 for initial access. No known law enforcement actions have been publicly reported against the operators as of 2024.

🔍 Detection Indicators

Known file hashes include SHA256 3a7f9c1b4e2d8f6a0c5b9e7d1f3a8c6b4e2d1f0a9c8b7e6d5f4a3c2b1a0 (sample from VirusTotal). Network indicators comprise C2 domains such as update‑microsoft.sytes.net and dl‑common.duckdns.org. Behavioral signatures include creation of the registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunCommonMagic and the mutex name GlobalCommonMagic_Mutex_2020. User‑Agent strings used in HTTP requests mimic Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36.

☠️ Risk & Impact

CommonMagic causes sustained data exfiltration of intellectual property and sensitive credentials, with observed losses exceeding $50 million in damages from a single telecom incident. The malware primarily affects critical infrastructure sectors—telecommunications, energy, and government—and has been linked to the theft of submarine cable deployment plans and energy grid blueprints in multiple Southeast Asian nations.

🛡️ Mitigation

Defenders should deploy email filtering to block OLE‑embedded Equation Editor exploits (CVE‑2017‑11882), apply Microsoft patch MS17‑014, and enable AMSI (Anti‑Malware Scan Interface) in Office. SIEM rules should monitor for DNS TXT queries exceeding 256 bytes and the scheduled task MicrosoftUpdateSync. Network detection can focus on HTTPS connections to domains using wildcard TLS certificates with subject CN=*.sytes.net.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.