The malware botnet known as DirtyMoe has been around since at least 2016, but its newest version makes some major changes that put it back in the spotlight. Take a look at how the new version works, what is different about it and how to defend against it.

Back in 2016, NuggetPhantom appeared as its first iteration. NuggetPhantom and several of the threat’s other early samples didn’t work well, however. They tended to be unstable and they yielded symptoms expected of a compromise.

Fast forward five years, and DirtyMoe is a different malware. Avast analyzed its most recent variants and found that they match other threats in terms of their anti-forensic, anti-debugging and anti-tracking capabilities. On top of this, the DirtyMoe botnet balances a modular structure with a threat profile that can’t be detected or tracked.

How the DirtyMoe Botnet Works

DirtyMoe’s attack chain begins with the attackers attempting to gain admin privileges on a target’s Windows machine.

One of their preferred techniques is relying on the PurpleFox exploit kit to misuse EternalBlue, an opening in Windows. In spring 2019, researchers discovered a campaign in which digital attackers leveraged the flaw to distribute cryptomining malware.

DirtyMoe’s authors also used infected files and phishing emails. These contained URLs to exploit Internet Explorer flaws as a means of gaining higher privileges. Once they gain admin rights, the attackers can use the Windows MSI installer to deploy DirtyMoe. They used Windows Session Manager to overwrite ‘sens.dll,’ the system file which pertains to the Windows System Event Notification. The compromise enabled the main DirtyMoe botnet service to run at the system level.

Loading that service started up a rootkit driver concealing DirtyMoe’s services, files and registry entries. At the time when it was discovered, the malware authors used their creation mostly to engage in cryptojacking. Other researchers found the threat could conduct distributed denial-of-service (DDoS) attacks, as well.

All the while, attackers used VMProtect and the malware’s own encryption algorithm to hide what they were doing. They also employed rootkit techniques for concealing the botnet and a multi-level network communication architecture to hide their servers.

The Connection to PurpleFox

The PurpleFox exploit kit has long been known to have some kind of connection to the DirtyMoe botnet. However, whether they are in fact different things is a matter of some debate. PurpleFox is older than the current version of DirtyMoe, as Trend Micro observed in September 2019 as the RIG exploit kit delivered PurpleFox. The fileless downloader ran cryptomining malware once it installed itself on a victim’s machine.

In 2020, the PurpleFox exploit kit added two new flaws to its arsenal. One of those included a bug for Internet Explorer.

Then in the spring of 2021, the malware became able to to breach Windows machines through SMB password brute force and thereafter propagate as a worm.

Defending Against DirtyMoe

Businesses and agencies can defend themselves against the DirtyMoe botnet by investing in a modern vulnerability management solution. To do so, make sure your system admins, security teams and others stay in touch with each other about potential problems. In addition, confirm that your multi-pronged anti-phishing strategy takes advantage of both employee security awareness training and technical controls, such as multifactor authentication.