Researchers at Avast sound alarm over a rapidly growing Windows botnet known as DirtyMoe (PurpleFox, Perkiler, and NuggetPhantom), which increased from 10,000 infected systems in 2020 to more than 100,000 in the first half of 2021.
The main purpose of the DirtyMoe botnet is to mine cryptocurrency on infected Windows machines, and it has a feature to launch DDoS attacks.
First spotted in 2017, the botnet was a small-time operation until the end of 2020 when the malware authors implemented a worm module that allowed them to increase their activity by spreading to other Windows systems via the internet. The module that implements the warm capabilities was observed scanning the internet and performing password brute-force attacks against Windows systems with SMB port exposed online.
The researchers said they observed over 100,000 DirtyMoe hits, with the large number of infections detected in Europe (45%) and Asia (33%).
“We observed the different distribution of countries and continents for C&C servers (IP addresses) and sample hits. Most of the C&C servers are located in China. We can deduce that the location of the malware source is in China. It is evident that the malware authors are a well-organized group that operates on all major continents,” the researchers said.
The DirtyMoe malware mainly spreads via malspam or malicious websites hosting the PurpleFox exploit kit that uses browser vulnerabilities, such as the RCE bug (CVE-2020-0674) in Internet Explorer, to install a rootkit component on unpatched Windows systems that allowed the malware to hijack the infected host and use it for crypto-mining.
“When one of the exploits is successful and gains system privileges, DirtyMoe can be installed on a victim’s machine. We observe that DirtyMoe utilizes Windows MSI Installer to deploy the malware. MSI Installer provides an easy way to install proper software across several platforms and versions of Windows. Each version requires a different location of installed files and registry entries. The malware author can comfortably set up DirtyMoe configurations for the target system and platform,” Avast noted.
More detailed technical information and Indicators of Compromise related to the attacks involving the DirtyMoe botnet can be found here.