Active since 2017, DirtyMoe is a complex malware and has been built as a modular system. It has been growing rapidly and last year in August, the botnet came with major upgrades with anti-debugging, anti-tracking, and anti-forensic functionalities. This year, it is again back with new capabilities that allow it to spread without the need for any user interaction.
What’s going on?
DirtyMoe operators changed dramatically since the end of 2020 and added a worm module that increases the botnet’s activity by propagating to other Windows systems via the internet. The latest modules require no user interaction to spread further. One worm module can produce and attack thousands of public and private IP addresses on a daily basis.
Modus operandi
Avast researchers have observed three main ways in which the malware is being disseminated - PurpleFox EK, PurpleFox Worm, and injected Telegram installers. Nevertheless, it is highly likely that the malware propagates through other methods too.
The modules target older flaws, such as Hot Potato Windows privilege escalation and EternalBlue.
They are capable of conducting dictionary attacks leveraging Service Control Manager Remote Protocol, MS SQL, and WMI services.
The algorithm generates targets’ IP addresses based on the geographical locations of the worming modules.
The DirtyMoe service is run as a svchost process that starts the Executioner and Core processes. The former loads a Monero miner module and a worming replication module.
The botnet exploits the vulnerabilities - CVE-2019-9082, CVE-2019-2725, CVE-2019-1458, CVE-2018-0147, CVE-2017-0144, and MS15-076.
The worming module can attain RCE under admin privileges and install DirtyMoe.
Why this matters
Many potential victims are at risk of attacks since hundreds of machines have weak passwords or are still unpatched. The module, furthermore, targets home and local networks, signifying that even private networks behind firewalls are at risk. One of the in-development worming modules contains exploits targeting Java Deserialization, PHP, and Oracle Weblogic Servers, which indicates that the botnet operators are planning on expanding their reach further.
The bottom line
As DirtyMoe is constantly evolving and furthering its attack surface, the emergence of critical flaws such as Log4j offers the operators a “tremendous and powerful opportunity to implement a new worming module.” Hence, researchers will continue looking into this threat. Users are recommended to patch their systems as soon as possible.