Detection and Delivery
In July 2024, a new cyber threat named CMoon was identified by Kaspersky Lab’s threat monitoring systems. This sophisticated worm was discovered on a legitimate website of a company offering gasification and gas supply services in Russia. The attackers cleverly replaced legitimate document download links with malicious executable files disguised as regulatory documents in various formats such as .docx, .xlsx, .rtf, and .pdf, but with an additional .exe extension. These files were presented as self-extracting archives containing both the genuine document and the malicious code.
The attack seemed to be targeted, primarily affecting users in Russia, as indicated by anonymized telemetry data from Kaspersky Security Network (KSN). This data is collected from Kaspersky Lab product users and suggested that visitors to the compromised website were the main targets.
Description of the Threat
The CMoon worm is crafted in .NET and is capable of extensive data theft and remote control operations. It initially checks for antivirus software on a user's machine and, if absent, installs itself in the %LocalAppData%\.dat
directory while creating a startup shortcut in the %AppData%\Microsoft\Windows\Start Menu\Programs\Startup.lnk
folder. It modifies file creation and modification dates to make the files appear generated on May 22, 2013.
A notable feature of CMoon is its ability to monitor USB drives, stealing files and spreading to other systems by replacing drive files with shortcuts that redirect to the worm. It avoids files with .lnk and .exe extensions and those in folders containing the substrings .intelligence and .usb.
CMoon can receive commands from a remote server, enabling it to download and execute other malicious files, capture screenshots, launch DDoS attacks, and collect local network information.
Applications and Data Targeted
CMoon targets a variety of applications to steal sensitive data:
- Web Browsers: Firefox, Thunderbird, Waterfox, Microsoft Edge, Google Chrome, Opera, Opera GX, Yandex Browser
- Crypto Wallets: Guarda, Coinomi, Bitcoin, Electrum, Electrum-LTC, Zcash, Exodus, Jaxx, Monero, Binance, Wasabi Wallet, Atomic, Ledger Live
- Messengers: Pidgin, Telegram
- SSH Client: Snowflake (Muon)
- FTP Client: FileZilla
- Video Recording Software: OBS Studio
- Authenticators: WinAuth, Authy
- Remote Access Software: MobaXterm
- VPN Clients: OpenVPN
Additionally, it hunts for documents containing keywords like “secret,” “service,” and “password” in various formats, targeting files linked to system security and user credentials.
Communication and Packet Structure
Before connecting to its command server, CMoon verifies internet connectivity by making a request to a known server. Communication happens via a TCP connection, with outgoing packets beginning with the bytes “CMOON$”. These packets are encrypted using an RC4 key and can include data such as system information, Wi-Fi profiles, and screenshots.
The emergence of the CMoon worm underscores the critical need for improved security measures. While Kaspersky Lab managed to neutralize the threat from this particular compromised site, similar attacks may continue to pose risks. Users and organizations are urged to maintain vigilance, ensure their software is regularly updated, and adopt strong cybersecurity practices to safeguard against such threats.
Indicators of Compromise
- CMoon C2 Server: 185.167.95:9899
- MD5 Hash: 132404f2b1c1f5a4d76bd38d1402bdfa
By understanding the nature of the CMoon worm and its tactics, individuals and businesses can better protect their sensitive information from such advanced cyber threats.