Novel Self-Spreading CMoon Worm Targets Russian Organizations, Stealing Sensitive User Data

Published on August 8, 2024
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer

A new self-spreading worm has been distributed in Russia since early July 2024, stealing account credentials, sensitive details, and financial data. The malware, named ‘CMoon’ by Kaspersky security researchers, is distributed to visitors of specific organizations' websites, focusing on high-value targets.

The worm, written in .NET for data theft and remote control, has broad capabilities, including loading additional malware, collecting screenshots, and initiating distributed denial of service (DDoS) attacks on Internet resources specified by the attacker through a legitimate site.

The attack was analyzed as the infection of a website belonging to a Russian city's gasification and gas supply services provider. The cybercriminals deployed this worm in a targeted attack focusing on people who accessed a specific website of a particular service provider in Russia.

CMoon Worm Sample
Image Source: Kaspersky

Two dozen URLs to regulatory documents found on this website (docx, .xlsx, .rtf, and .pdf) were replaced by the threat actors with links to malicious executables (.exe) with the same name retrieved from the same website. 

Once clicked, these behaved like self-extracting archives containing the original document and the CMoon payload, each document having its own archive. 

After successful deployment, CMoon starts monitoring the network, looking for connected USB drives, exfiltrating stored data, and installing a worm copy on USBs. It also exfiltrates files from browsers containing saved passwords, cookies, bookmarks, browsing history, and data for auto-filling forms, including credit card data. 

It also checks for crypto wallets on the device, such as Bitcoin, Monero, Binance, and more, messaging apps like Pidgin and Telegram, SSH clients like Snowflake (Muon), FTP clients such as FileZilla, video recording and streaming software like OBS Studio, authenticators like WinAuth and Authy, remote access software such as MobaXterm, and also VPN clients like OpenVPN.

The worm was observed harvesting files containing words like "secret," "service," "services," and "password" from documents in Desktop, Documents, Photos, and Downloads folders and external media, as well as system security, user actions, and credentials.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: