A recent study has discovered that the malware dubbed DirtyMoe has obtained new worm-like propagation characteristics that allow it to spread its reach without any user interaction.
“The worming module targets older well-known vulnerabilities, e.g., EternalBlue and Hot Potato Windows privilege escalation,” Avast researcher Martin Chlumecký said in a report published Wednesday. “One worm module can generate and attack hundreds of thousands of private and public IP addresses per day; many victims are at risk since many machines still use unpatched systems or weak passwords.”
The DirtyMoe botnet has been active since 2016, and it uses external exploit kits like PurpleFox or implanted Telegram Messenger installers to carry out cryptojacking and distributed denial-of-service (DDoS) attacks. A DirtyMoe service is also employed as part of the attack sequence, which launches two more processes, the Core and the Executioner, which are used to load the modules for Monero mining and propagate the malware in a worm-like fashion.
The worming modules infect victims’ computers by exploiting a variety of vulnerabilities to install malware, with each module focusing on a different weakness based on information collected after reconnaissance:
- CVE-2019-9082: ThinkPHP – Multiple PHP Injection RCEs
- CVE-2019-2725: Oracle Weblogic Server – ‘AsyncResponseService’ Deserialization RCE
- CVE-2019-1458: WizardOpium Local Privilege Escalation
- CVE-2018-0147: Deserialization Vulnerability
- CVE-2017-0144: EternalBlue SMB Remote Code Execution (MS17-010)
- MS15-076: RCE Allow Elevation of Privilege (Hot Potato Windows Privilege Escalation)
- Dictionary attacks intended at MS SQL Servers, SMB, and Windows Management Instrumentation (WMI) services with weak passwords.
According to Chlumecký, the worming module’s primary purpose is to accomplish RCE under administrator credentials and install a new DirtyMoe instance. He further added that one of the component’s essential functions is to produce a list of IP addresses to target depending on the module’s geographical location. Moreover, attacks targeting PHP, Java Deserialization, and Oracle WebLogic Servers were discovered in another in-development worming module, hinting that the attackers are seeking to widen the scope of the infections.