Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
Kaspersky Lab researchers have uncovered a new self-propagating USB worm called CMoon that targets Russians.
CMoon is able to steal credentials and other data, distributed in Russia from the beginning of July 2024 through the hacked website of one of the gas companies.
According to the researchers, CMoon as a whole can perform a wide range of functions, including downloading additional useful data, creating screenshots, and launching distributed DDoS attacks.
Judging by the distribution channel that the attackers used, their target is focused on significant goals rather than on random Internet users, which indicates that they are conducting a complex campaign.
The infection chain begins when the user clicks on links to regulatory documents (docx, xlsx, rtf, and pdf) posted on various pages of the company's website that provides gasification and gas supply services.
Attackers replaced legal links with malicious executable files, which were also hosted on the site and delivered to victims as self-extracting archives containing the source document and CMoon payload.
Other vectors of distribution of this malware have not yet been noticed, and therefore it is assumed that the attack is aimed exclusively at the audience of a particular site.
After the company was notified of this compromise, malicious files and links were removed from the site on July 25, 2024.
However, due to CMoon's self-propagation mechanisms, its progress can continue autonomously.
CMoon is a worm .NET, which copies itself to a new folder named after the antivirus software it found on the infected device, or to a folder that resembles the system one, if there are no antivirus solutions available.
The worm creates a shortcut in the Windows startup directory to ensure that it starts at the start of the system and remains functional between reboots.
In order not to arouse suspicion during manual checks, it changes the creation and modification dates of its files to May 22, 2013.
The worm tracks newly connected USB drives, and when any of them connects to the infected machine, it replaces all files except " LNK " and " EXE " with shortcuts to its executable file.
CMoon also searches for interesting files on USB drives and temporarily stores them in hidden directories (".intelligence" and ".usb") before they are transferred to the attacker's server.
CMoon has standard information theft features that target cryptographic wallets, data in browsers, instant messengers, FTP and SSH clients, as well as document files containing the keywords "secret", "service" or "password".
An interesting and somewhat unusual feature is targeting files that may contain credentials, such as pfx, p12, kdb, kdbx, lastpass, psafe3, pem, key, private, asc, gpg, ovpn, and log files.
Malware can load and execute additional payloads, take screenshots of the compromised device, and initiate DDoS attacks on specified targets.
Stolen files and system information are packaged and sent to an external server, where they are decrypted (RC4) and checked for integrity using an MD5 hash.
Kaspersky Lab also allows CMoon to be distributed by other sites, so it is recommended to be vigilant.
No matter how targeted this campaign may be, the fact that the worm is spreading autonomously means that it can reach unintended systems and create conditions for opportunistic attacks.
• Source: https://securelist.ru/how-the-cmoon-worm-collects-data/109988/
CMoon is able to steal credentials and other data, distributed in Russia from the beginning of July 2024 through the hacked website of one of the gas companies.
According to the researchers, CMoon as a whole can perform a wide range of functions, including downloading additional useful data, creating screenshots, and launching distributed DDoS attacks.
Judging by the distribution channel that the attackers used, their target is focused on significant goals rather than on random Internet users, which indicates that they are conducting a complex campaign.
The infection chain begins when the user clicks on links to regulatory documents (docx, xlsx, rtf, and pdf) posted on various pages of the company's website that provides gasification and gas supply services.
Attackers replaced legal links with malicious executable files, which were also hosted on the site and delivered to victims as self-extracting archives containing the source document and CMoon payload.
Other vectors of distribution of this malware have not yet been noticed, and therefore it is assumed that the attack is aimed exclusively at the audience of a particular site.
After the company was notified of this compromise, malicious files and links were removed from the site on July 25, 2024.
However, due to CMoon's self-propagation mechanisms, its progress can continue autonomously.
CMoon is a worm .NET, which copies itself to a new folder named after the antivirus software it found on the infected device, or to a folder that resembles the system one, if there are no antivirus solutions available.
The worm creates a shortcut in the Windows startup directory to ensure that it starts at the start of the system and remains functional between reboots.
In order not to arouse suspicion during manual checks, it changes the creation and modification dates of its files to May 22, 2013.
The worm tracks newly connected USB drives, and when any of them connects to the infected machine, it replaces all files except " LNK " and " EXE " with shortcuts to its executable file.
CMoon also searches for interesting files on USB drives and temporarily stores them in hidden directories (".intelligence" and ".usb") before they are transferred to the attacker's server.
CMoon has standard information theft features that target cryptographic wallets, data in browsers, instant messengers, FTP and SSH clients, as well as document files containing the keywords "secret", "service" or "password".
An interesting and somewhat unusual feature is targeting files that may contain credentials, such as pfx, p12, kdb, kdbx, lastpass, psafe3, pem, key, private, asc, gpg, ovpn, and log files.
Malware can load and execute additional payloads, take screenshots of the compromised device, and initiate DDoS attacks on specified targets.
Stolen files and system information are packaged and sent to an external server, where they are decrypted (RC4) and checked for integrity using an MD5 hash.
Kaspersky Lab also allows CMoon to be distributed by other sites, so it is recommended to be vigilant.
No matter how targeted this campaign may be, the fact that the worm is spreading autonomously means that it can reach unintended systems and create conditions for opportunistic attacks.
• Source: https://securelist.ru/how-the-cmoon-worm-collects-data/109988/
