Vidar Malware – Active IOCs
August 8, 2024Multiple WordPress Plugins Vulnerabilities
August 8, 2024Vidar Malware – Active IOCs
August 8, 2024Multiple WordPress Plugins Vulnerabilities
August 8, 2024Severity
High
Analysis Summary
Since early July 2024, a new self-spreading worm known as "CMoon" has been circulated throughout Russia via a compromised gas supply company website. This worm is capable of obtaining account credentials and other data.
The campaign was uncovered by researchers, who said that CMoon is capable of a wide range of operations, such as initiating distributed denial of service (DDoS) attacks, taking screenshots, and loading more payloads. The threat actors' targeting strategy is focused on high-value targets rather than hapless internet users, which suggests a sophisticated operation based on the distribution route they use.
According to cybersecurity researchers, users click on links to regulatory papers (docx, .xlsx, .rtf, and .pdf) on different pages of a website belonging to a company that supplies gas to a Russian city and performs gasification. This is how the infection chain gets started. The malicious executables, which were likewise hosted on the website and sent to the victims as self-extracting archives comprising the original document and the CMoon payload—named after the original link—were substituted by the threat actors for the document links.
Since researchers haven't found any other ways for this malware to spread, they think that this attack is limited to users of the specific website. On July 25, 2024, the gas company took down the malicious files and links from their website after notifying them of the infiltration. Nonetheless, CMoon's spread might continue on its own due to self-propagation processes.
The CMoon .NET worm duplicates itself to a freshly generated folder called after the antivirus program it found on the infected device, or, in the absence of any AVs, to a folder that looks like a system folder. To guarantee that it launches at system starting and maintains persistence across reboots, the worm makes a shortcut in the Windows Startup directory. It modifies the creation and modification dates of its files to May 22, 2013, so as not to trigger alarms during manual user checks.
The worm searches for recently attached USB devices, and when any are detected, it replaces all files—aside from "LNKs" and "EXEs"—with shortcuts to the associated executable on the compromised system. Before them being exfiltrated to the attacker's server, CMoon searches for intriguing files on the USB devices and temporarily stores them in hidden directories ('.intelligence' and '.usb').
Targeting cryptocurrency wallets, data stored in online browsers, messaging apps, FTP and SSH clients, and document files in USB or user folders containing the text strings "secret," "service," or "password," CMoon has the standard info-stealer capability. The targeting of files like .pfx, .p12, .kdb, .kdbx, .lastpass, .psafe3, .pem, .key, .private, .asc, .gpg, .ovpn, and .log files that might contain account credentials is an intriguing and rather rare function.
In addition, the malware can take screenshots of the compromised device, download and run further payloads, and launch DDoS attacks against predetermined targets. Theft files and system data are compressed and delivered to a remote server, where they are decrypted (RC4) and an MD5 hash is used to confirm their authenticity.
Vigilance is suggested as the researchers leave open the chance that new sites outside of their present awareness could distribute CMoon. The worm's ability to propagate on its own implies that, regardless of how focused this campaign is, it may still reach undesired systems and set the stage for opportunistic strikes.
Impact
- Denial of Service
- Cyber Espionage
- Credential Theft
- Data Exfiltration
Indicators of Compromise
IP
- 93.185.167.95
MD5
- 132404f2b1c1f5a4d76bd38d1402bdfa
SHA-256
- a4be526be5359ad2981f439457fe652895731ad56c10c113c22a7836a9591e5d
SHA1
- 661a1494b20668b9189c569aa1bfdcc89d9eebab
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Never trust or open links and attachments received from unknown sources/senders.
- Implement multi-factor authentication to add an extra layer of security to login processes.
- Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
- Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
- Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
- Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
- Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
- Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
- Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
- Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.