CMoon is a .NET worm discovered by Kaspersky Lab in July 2024 that steals confidential data, downloads additional malware, and can initiate DDoS attacks on specified resources. It spread through a compromised legitimate website targeting visitors in Russia and can monitor USB drives, exfiltrate data from browsers and wallets, and execute remote commands.
Keypoints
- CMoon is a .NET worm that steals data and allows remote control.
- Delivered via a compromised legitimate website, replacing links to documents with malicious executables.
- Monitors USB drives to steal files and propagate itself to other computers.
- Can execute commands from a remote server, including downloading additional malware and initiating DDoS attacks.
- Collects sensitive information from various applications, including browsers, crypto wallets, and messaging apps.
- The attack appears targeted to visitors of a specific site in Russia.
- Kaspersky Lab neutralized the threat after discovery and removal of malicious files.
MITRE Techniques
- [T1189] Drive-by Compromise – The worm was distributed via compromised legitimate website, with links to downloadable documents replaced to point to malicious executables. “the links to download normative documents in formats .docx, .xlsx, .rtf and .pdf were replaced with others that led to malicious executable files.”
- [T1005] Data from Local System – Collects sensitive files from user directories based on specific keywords. “Collects sensitive files from user directories based on specific keywords.”
- [T1090] USB Device Exploitation – Infects USB drives to spread to other systems. “Infects USB drives to spread to other systems.”
- [T1071] Command and Control – Communicates with a remote server to receive commands and send stolen data. “Communicates with a remote server to receive commands and send stolen data.”
- [T1003] Credential Dumping – Steals saved passwords, cookies, and autofill data from browsers. “Steals saved passwords, cookies, and autofill data from browsers.”
- [T1203] Execution – Executes malicious payloads after infection via self-extracting archives. “Executes malicious payloads after infection via self-extracting archives.”
- [T1041] Exfiltration Over Command and Control Channel – Sends collected data back to the attacker’s server. “Sends collected data back to the attacker’s server.”
Indicators of Compromise
- [IP] 93.185.167.95:9899 – CMoon C2 server (C2C)
- [Domain] www.pornhub.com – used to check internet connectivity before contacting C2
- [MD5] 132404f2b1c1f5a4d76bd38d1402bdfa – MD5 hash associated with the malware payload
Read more: https://securelist.ru/how-the-cmoon-worm-collects-data/109988/