Cybersecurity experts have uncovered a new worm named CMoon targeting users through compromised websites. This sophisticated malware can steal confidential and payment data, download additional malware, and launch Distributed Denial-of-Service (DDoS) attacks.
The worm was initially detected in July 2024, and its distribution method and functionality have raised significant concerns among cybersecurity professionals.
Detection and Delivery
At the end of July, Kaspersky Lab’s threat monitoring systems identified CMoon on a legitimate website belonging to a company providing gasification and gas supply services in a Russian city.
The attackers had replaced links to download regulatory documents in various formats (.docx, .xlsx, .rtf, .pdf) with malicious executable files.
These files were cleverly disguised to appear as the original documents with an added .exe extension. About two dozen links were compromised, each leading to a self-extracting archive containing both the original document and the malicious payload.
According to the SecureList report, the payload, named CMoon, was discovered through Kaspersky Security Network (KSN) telemetry data.
This data, anonymized and collected from Kaspersky Lab product users, indicated that the threat was primarily encountered by users in Russia, suggesting a targeted attack on visitors to the specific compromised site.
How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide
Description of the Threat
CMoon is a worm written in .NET, equipped with extensive data theft and remote control capabilities. Once it infects a user’s machine, it first checks for the presence of antivirus software.
If none is detected, it installs itself in the %LocalAppData%.dat directory and creates a startup shortcut in the %AppData%MicrosoftWindowsStart MenuProgramsStartup.lnk folder.
The worm then alters its files’ creation and modification dates to appear as if they were created on May 22, 2013. One of CMoon’s notable features is its ability to monitor connected USB drives, allowing it to steal files and propagate itself to other computers.
It replaces files on the drive with shortcuts leading to the malware, except for files with .lnk and .exe extensions and those in folders with .intelligence and .usb substrings.
The worm can also receive commands from a remote server to perform various tasks, including downloading and executing other malicious files, taking screenshots, initiating DDoS attacks, and collecting information about local network resources.
struct Request {
char magic[6];
u8 packet_type;
char rc4_key[8];
be u64 data_size;
char data[data_size];
char botid[32];
char md5[32];
};Applications and Data Targeted
CMoon targets a wide range of applications to steal sensitive data, including:
- Browsers: Firefox, Thunderbird, Waterfox, Microsoft Edge, Google Chrome, Opera, Opera GX, Yandex Browser
- Crypto Wallets: Guarda, Coinomi, Bitcoin, Electrum, Electrum-LTC, Zcash, Exodus, Jaxx, Monero, Binance, Wasabi Wallet, Atomic, Ledger Live
- Messengers: Pidgin, Telegram
- SSH Client: Snowflake (Muon)
- FTP Client: FileZilla
- Video Recording Software: OBS Studio
- Authenticators: WinAuth, Authy
- Remote Access Software: MobaXterm
- VPN Clients: OpenVPN
The worm also searches for documents containing keywords like “secret,” “service,” and “password” in various formats, as well as files related to system security and user credentials.
Communication and Packet Structure
Before communicating with its command server, CMoon checks the internet connection by requesting a known server. Communication occurs via a TCP connection, with outgoing packets starting with the bytes “CMOON$”.
The packets are encrypted using an RC4 key and contain various data types, including system information, Wi-Fi profiles, and screenshots.
The CMoon worm represents a sophisticated and targeted cyber threat, highlighting the need for enhanced security measures. While Kaspersky Lab successfully neutralized the threat from the compromised website, the possibility of similar attacks on other sites remains a concern.
Users and organizations are advised to remain vigilant, ensure their software is up-to-date, and employ robust cybersecurity practices to protect against such threats.
Indicators of compromise
CMoon С2С
93 [.] 185 [.] 167[.]95:9899
MD5
132404f2b1c1f5a4d76bd38d1402bdfa
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access