The DirtyMoe botnet that has been around since 2016 made some major changes in its latest version. The Security Intelligence team issued a deep dive into what the new version of the malware does and how to defend against it.
In 2016, NuggetPhantom in its initial iteration had many deficiencies, and its early samples exhibited unstable behavior. After five years of the evolution of DirtyMoe, its most recent variants are similar to other known threats in terms of their overall capabilities. According to Avast, they match other malware in terms of their anti-forensic, anti-debugging, and anti-tracking capabilities. The DirtyMoe botnet acquired a modular structure and a threat profile that can’t be detected or tracked.
As a rule, DirtyMoe’s attack chain begins with an attacker trying to gain admin privileges of a targeted Windows machine. DirtyMoe’s authors used various methods to infect users. The attackers’ favorite is targeting a flaw in Windows’ EternalBlue which they exploit with the PurpleFox exploit kit.
Some of these included sending phishing emails and infected files. They contained links to exploit Internet Explorer issues to gain higher privileges. Once the attackers gain admin rights, they can install DirtyMoe through the Windows MSI installer. They also used the Windows Session Manager to modify the system file ‘sens.dll’ so that the main DirtyMoe botnet service runs at the system level and can’t be detected by security tools.
Threat actors used DirtyMoe mostly for cryptojacking and to launch distributed denial-of-service attacks.
The attackers used various techniques to hide their actions. They also employed a variety of rootkit techniques to hide their botnet and a multi-level network communication architecture to hide the servers.
The version number of PurpleFox is older than the current DirtyMoe update, which was observed by Trend Micro in September 2019 when the RIG exploit kit delivered PurpleFoxto execute cryptomining malware after downloading it.
In the spring of 2021, the same malware was modified to breach Windows machines through an SMB password brute force attack. It then propagated as a worm.