A Warning of the rapid growth of the DirtyMoe botnet (PurpleFox, Perkiler, and NuggetPhantom), gone 10,000 infected systems in 2020 to more than 100,000 in the first half of 2021. Experts defined DirtyMoe as a complex malware that has been designed as a modular system
The Windows botnet has been used to mine cryptocurrency, it was also involved in DDoS attacks. The DirtyMoe rootkit was delivered using malicious spam campaigns or served by malicious sites hosting the PurpleFox exploit kit that triggers vulnerabilities in Internet Explorer, such as the CVE-2020-0674 scripting engine memory corruption vulnerability.
The operations behind the DirtyMoe botnet rapidly changed, the malware authors added a worm module that could increase their activity by spread via the internet to other Windows systems.
The module that implements the warm capabilities was spotted scanning the internet and performing password brute-force attacks against Windows systems with SMB port open online.
Most of the hits are in Russia (65k), followed by Ukraine, Vietnam and Brazil.
Most of the C&C servers involved in the attacks are located in China, a circumstance that suggests that the threat actors behind DirtyMoe are a well-organized group that operates on a global scale.
The malware implements many self-defense and hiding techniques applied on local, network, and kernel layers. Communication with C&C servers is based on DNS requests and it uses a special mechanism translating DNS results to a real IP address. Therefore, blocking of C&C servers is not an easy task since C&C addresses are different each time and they are not hard-coded.
Both PurpleFox and DirtyMoe are still active malware and gaining strength.