DirtyMoe is a Windows botnet that has infected over 100,000 Windows ifected systems in the first half of 2021, as compared to 10,000 infected systems in 2020.
Researchers from Avast warn about the spike in activity of the botnet, which is also known as PurpleFox, Perkiler, and NuggetPhantom, and describe a new infection vector.
DirtyMoe is a multi-purpose complex Windows malware that has been active since 2017. It was mainly used for mining cryptocurrency in 2017 and as part of DDoS attacks in 2018.
Its operators distribute the DirtyMoe rootkit via malspam campaigns. It also tricks users into visiting a malicious site that hosts the PurpleFox exploit kit that is used by attackers to exploit the CVE-2020-0674 scripting engine memory corruption vulnerability.
Since 2020, it’s been considerably upgraded by its authors. For example, DirtyMoe added a worm module for spreading to other Windows systems via the Internet.
“Recently, a new infection vector that cracks Windows machines through SMB password brute force is on the rise,” reads the analysis published by AVAST.
The DirtyMoe’s worm-like module has been detected in remote attacks against Windows systems performing brute-force attacks.
Researchers note a spike in the bot’s activity. “The increase of incidences has been higher in orders of magnitude this year,” they said in the report.
Most of the hits were in Russia, followed by Ukraine, Vietnam, and Brazil.
Experts noted that this data only pertains to systems that run AVAST’s antivirus solution. The number of victims is likely far greater.
The majority of the C&C servers used in the attacks are located inside China. This indicates that the threat actors behind the campaign are well-organized and working on a global scale.
“The malware implements many self-defense and hiding techniques applied on local, network, and kernel layers. Communication with C&C servers is based on DNS requests and it uses a special mechanism translating DNS results to a real IP address. Therefore, blocking of C&C servers is not an easy task since C&C addresses are different each time and they are not hard-coded.” concludes the analysis.” continues the analysis. “Both PurpleFox and DirtyMoe are still active malware and gaining strength.”
Avast released detailed information about this botnet’s attacks, including indicators of compromise (IOCs).