Over 2K PCs in Ukraine found to be infected with DirtyMoe malware

Over 2K PCs in Ukraine found to be infected with DirtyMoe malware

Ukraine's Computer Emergency Response Team (CERT-UA) said it detected a widespread cyberattack that infected more than 2,000 computers across the country with the DirtyMoe (PurpleFox) malware.

DirtyMoe is a complex malware that has been designed as a modular system that has been known for over five years. It is deployed using various kits like PurpleFox or injected installers of Telegram Messenger that require user interaction. The malware is focused (but not limited to) on cryptojacking and DDoS attacks. DirtyMoe is run as a Windows service under system-level privileges via the EternalBlue exploit and at least three other exploits. According to Avast, the particular functionality is controlled remotely by the malware authors, who can reconfigure thousands of DirtyMoe instances to the desired functionality within a few hours.

The malware typically initiates its initial infection through the execution of popular software containing an MSI installer. The backdoor is equipped with a rootkit that prevents the removal of components from the file system and the operating system registry in normal mode.

DirtyMoe possesses functionality for self-propagation by acquiring authentication data and/or exploiting vulnerabilities in both local area network computers and computers based on a list of IP addresses generated by a specific algorithm, depending on the “external” IP address of the target object.

To ensure resilience in communication with the control infrastructure, at least three methods are utilized, one of which involves obtaining A-record values for statically defined domain names using both local and external DNS servers.

Additionally, IP addresses stored in the operating system registry and those obtained through DNS queries are obfuscated.

The CERT team said they identified 486 IP addresses of intermediary control servers between January 20 and January 31, 2024, the majority of which were linked to compromised hardware located in China. About 20 new IP addresses are added daily to the monitoring list, the cyber defenders said.

The CERT-UA tracks this activity under the identifier UAC-0027. The team has also shared Indicators of Compromise (IoCs) related to this threat.


Back to the list

Latest Posts

DragonForce ransomware breaches MSPs via recently patched SimpleHelp flaws

DragonForce ransomware breaches MSPs via recently patched SimpleHelp flaws

After breaching the MSP, the attackers utilized SimpleHelp to gather intelligence across client environments.
28 May 2025
Spain dismantles intelligence network behind cyberattacks on critical infrastructure

Spain dismantles intelligence network behind cyberattacks on critical infrastructure

Among the recovered data were personal records tied to millions of citizens, including school records, civil registries, phone logs, and utility billing information.
28 May 2025
Iranian national pleads guilty in major Robbinhood ransomware scheme

Iranian national pleads guilty in major Robbinhood ransomware scheme

The attacks, which began in early 2019, resulted in tens of millions of dollars in damages.
28 May 2025
Popular Posts
Featured vulnerabilities
Stored cross-site scripting in etracker module for Drupal
Low Patched | 29 May, 2025
Multiple vulnerabilities in Simple Klaro module for Drupal
Low Patched | 29 May, 2025
IBM Watson Discovery update for Apache Tomcat
Сritical Patched | 28 May, 2025
Multiple vulnerabilities in IBM SPSS Analytic Server
Medium Patched | 28 May, 2025
Multiple vulnerabilities in IBM Guardium Data Protection
Сritical Patched | 28 May, 2025