Magic Malware FAQ and IOCs

Q: What is the “Magic” malware?
A: The magic malware is an operation executed by at least one group of cyber criminals to target thousands of businesses and individuals, mainly in the United Kingdom, in the past 11 months.

Q: Is “Magic” an Advanced Persistent Threat?
A: “Magic” is a persistent operation running for the past 11 months. While Magic is still not an advanced malware, it is under development with some advanced features yet to be implemented.

Q: Which businesses have been infected with “Magic”?
A: While we cannot mention specific names, we have seen several industries affected – including Finance, Education and Telecom.

Q: Is “Magic” a new malware or threat?
A: “Magic” is an operation running for the past 11 months. Some of this malware variants may also be known by other security vendors as Asetus, Tilon or Win32.Enchanim.

Q: Who is behind this operation?
A: This campaign seems to be operated by cyber criminals with a probable intention of selling the data stolen from the affected businesses in underground forums. Selling such data for industrial espionage purposes has become a growing trend within the underground ecosystem.

Q: How can I know if my business is affected?
A: The easiest way is to sign-up for our free service, and gain visibility to this and other threats that may be affecting your corporate network.

Or, if you suspect that one of your corporate machines is indeed compromised, you can use the following Indicators of Compromise (IOCs) to search the endpoint:

•	Files created:
%TEMP%\[RndFile1]
%TEMP%\[RndFile2].exe

Where [RndFile1] = A random file name with 8 of [0-9A-F] letters
Where [RndFile2] = A random file name with 7 of [A-Z] letters

•	Registry entries created under:
SOFTWARE\Classes\CLSID\{[GUID]}

Where [GUID] = %botId[0:8]%-%botId[2:6]%-%botId[4:8]%-%botId[2:7]%-%botId[1:5]+botId[0:8]%

Where botId = GetVolumeSerialNumber
if botId<0x10000000:
    botId += 0x10000000
    botId += 0x3a98
    botId %=2^32

•	You can also look within your gateway logs for the following 
HTTP communications: 
hxxp://184.82.222.21/u/i.html
hxxp://188.190.98.166/f/i.html
hxxp://188.40.85.209/u/i.html
hxxp://213.133.102.180/f/i.html
hxxp://46.165.243.15/u/i.html
hxxp://46.4.1.36/u/i.html
hxxp://46.4.123.204/u/i.html
hxxp://5.9.52.12/f/i.html
hxxp://62.212.73.73/f/i.html
hxxp://85.17.122.67/f/i.html
hxxp://94.23.234.36/f/i.html
hxxp://94.242.206.59/u/i.html
hxxp://95.141.46.5/u/i.html

•	The following are MD5s of “Magic” malware variants throughout 
the time of the operation:
cb1a0fdf00607dd0e0bcf4521da44219
7887c381fa6646f3d77fd79e9e46d246
92c580390c0183437bebdc426c8368a8
651b375ddb9151c4aba9b0d59f3f5a4e
192ecafba996c39f796ab04449f64b94
e9e63cbcee86fa508856c84fdd5a8438
36d5378fd6511bb00198c48b6ce6e41b
59643d62573e9129ac6c8ec2e602e519
d2db9e368c92b65ba2f394f8cca10ea3
5d65ab7f09d533721a4f4df215ef7c65
09b45d4df5910d767e17da67e08c4ec1
159e82375b64981aa50bde8dc146b2af
1bd2995160c4670680331132445990a1
172be5d6b4df08cdc3fa691fdd421bfc
d84c33f7fea0ab3db265d971e4767dd8
83f9275e080fc2bdb942b0b99c9613c3
7eda5914d7684796f7b06ce32562c458
25ca9d7f5a6e4fae047974cdf7a214ba
5fc3d67f20c717cf4644b50191b35b66
6ffd97788026d4fc8cbc62eb00015901
a20940a87208b15a6ecb11a76e8fa17f
254372ec902e060399bbd9c724fdec70
76d5b8c18c0c0566fe4df79dcbec6e2e
67104cec9b8b2a579704ba9db03e8258
83783be423d521a485eec93322674760
5338f3e4ecd452fb4df019621a0c838f
8b3d22703aee0f1c1cfaffb540baa474
20b1e41f5cf35834efb5498dcd0277ef
8d481216771189dcf7903b761a801446
f99e279d071fedc77073c4f979672a3c
539d3b15e9c3882ac70bb1ac7f90a837
bbb85297e65d1efb6aa5ff39c7d3516a
d1f1583b29da6ed4a12ef880179d212a
6f24cea0d74503618443665c8e1d7509