Contents:
DirtyMoe, also known as PurpleFox, Perkiler, or NuggetPhantom, is a Windows malware botnet that has been operational since at least 2016.
According to cybersecurity researchers, the malware that is believed to have Chinese-based developers has impacted roughly 10.000 systems in 2020 and upped its game in the first half of 2021 with over 100.000.
Even though the malware has been operative for quite a few years now, it’s the most recent version of the DirtyMoe that makes it the focus of public attention again.
According to security specialists, the first DirtyMoe samples didn’t work very well being frequently unstable and producing obvious symptoms, but in the past few years, the malware’s development has been intriguing.
Experts at Avast analyzed new versions of the DirtyMoe malware and discovered that they have major changes in terms of anti-forensic, anti-debugging, and anti-tracking capabilities.
With the new release, cybercriminals possess a threat profile that requires some effort in order to get tracked or identified.
DirtyMoe Botnet Operation Mode
The DirtyMoe botnet uses a straightforward idea of how to be modularized, imperceptible, and untraceable at the same time. The malware’s main objective has always been to infect Windows systems and extract cryptocurrency without the user’s knowledge.
However, back in 2018, the experts have also identified a feature that initiates Distributed Denial of Service (DDoS attacks).
DirtyMoe’s attack starts with the cybercriminals trying to obtain admin privileges on a victims’ Windows computer. It uses PurpleFox’s exploit kit to abuse the EternalBlue (CVE-2017-0144), a Windows vulnerability.
A preferred method to infect a target machine with this malware is using infected files and phishing emails containing URLs to exploit Internet Explorer vulnerabilities as a means of acquiring higher privileges.
Once the threat actors gain system privileges, the DirtyMoe botnet can be installed on a targets’ device. Avast researchers noticed that DirtyMoe uses Windows MSI Installer to distribute the virus.
Through MSI Installer the installation of proper software across several Windows platforms and versions is made easier. At this point, the botnet developer can set up DirtyMoe configurations for the victim’s system without any effort.
The MSI package overwrites the system file sens.dll via the Windows Session Manager. Therefore, DirtyMoe abuses the Windows System Event Notification (SENS) to be started by the system. The infected SENS Service is a mediator which deploys a DirtyMoe Service.
How Do They Hide?
During the entire time, cyber criminals utilized VMProtect software and their own encrypting/decrypting algorithm in order to conceal their operation.
Researchers first noticed a VMProtect incident back in 2018, and according to them, before the VMProtect software, DirtyMoe developers were relying on usual obfuscation techniques that still exist in the VMProtected versions variants of DirtyMoe.
They also used rootkit methods to conceal the malware and a multi-level network communication architecture so that no IP addresses of the servers are hardcoded.
How Can Organizations Protect Themselves Against DirtyMoe Malware?
According to specialists, the DirtyMoe botnet is still operational and probably continuously developed in order to become more capable.
- Invest in modern vulnerability management solutions to protect their networks and systems;
- Provide employee security awareness training;
- Use multi-factor authentication;
- Ensure adequate anti-phishing strategy for extra security;