Novel Self-Spreading CMoon Worm Targets Russian Organizations, Stealing Sensitive User Data

• A new type of worm was seen being deployed via compromised websites of specific Russian organizations.
• The malware has extensive capabilities and can exfiltrate sensitive user data and banking details.
• It can also initiate distributed denial of service attacks and infect USB drives connected to the infected machines.

A new self-spreading worm has been distributed in Russia since early July 2024, stealing account credentials, sensitive details, and financial data. The malware, named ‘CMoon’ by Kaspersky security researchers, is distributed to visitors of specific organizations' websites, focusing on high-value targets.

The worm, written in .NET for data theft and remote control, has broad capabilities, including loading additional malware, collecting screenshots, and initiating distributed denial of service (DDoS) attacks on Internet resources specified by the attacker through a legitimate site.

The attack was analyzed as the infection of a website belonging to a Russian city's gasification and gas supply services provider. The cybercriminals deployed this worm in a targeted attack focusing on people who accessed a specific website of a particular service provider in Russia.

Two dozen URLs to regulatory documents found on this website (docx, .xlsx, .rtf, and .pdf) were replaced by the threat actors with links to malicious executables (.exe) with the same name retrieved from the same website. 

Once clicked, these behaved like self-extracting archives containing the original document and the CMoon payload, each document having its own archive. 

After successful deployment, CMoon starts monitoring the network, looking for connected USB drives, exfiltrating stored data, and installing a worm copy on USBs. It also exfiltrates files from browsers containing saved passwords, cookies, bookmarks, browsing history, and data for auto-filling forms, including credit card data. 

It also checks for crypto wallets on the device, such as Bitcoin, Monero, Binance, and more, messaging apps like Pidgin and Telegram, SSH clients like Snowflake (Muon), FTP clients such as FileZilla, video recording and streaming software like OBS Studio, authenticators like WinAuth and Authy, remote access software such as MobaXterm, and also VPN clients like OpenVPN.

The worm was observed harvesting files containing words like "secret," "service," "services," and "password" from documents in Desktop, Documents, Photos, and Downloads folders and external media, as well as system security, user actions, and credentials.