The malware botnet known as DirtyMoe has been around since at least 2016, but its newest version makes some major changes that put it back in the spotlight. Take a look at how the new version works, what is different about it and how to defend against it.

Back in 2016, NuggetPhantom appeared as its first iteration. NuggetPhantom and several of the threat’s other early samples didn’t work well, however. They tended to be unstable and they yielded symptoms expected of a compromise.

Fast forward five years, and DirtyMoe is a different malware. Avast analyzed its most recent variants and found that they match other threats in terms of their anti-forensic, anti-debugging and anti-tracking capabilities. On top of this, the DirtyMoe botnet balances a modular structure with a threat profile that can’t be detected or tracked.

How the DirtyMoe Botnet Works

DirtyMoe’s attack chain begins with the attackers attempting to gain admin privileges on a target’s Windows machine.

One of their preferred techniques is relying on the PurpleFox exploit kit to misuse EternalBlue, an opening in Windows. In spring 2019, researchers discovered a campaign in which digital attackers leveraged the flaw to distribute cryptomining malware.

DirtyMoe’s authors also used infected files and phishing emails. These contained URLs to exploit Internet Explorer flaws as a means of gaining higher privileges. Once they gain admin rights, the attackers can use the Windows MSI installer to deploy DirtyMoe. They used Windows Session Manager to overwrite ‘sens.dll,’ the system file which pertains to the Windows System Event Notification. The compromise enabled the main DirtyMoe botnet service to run at the system level.

Loading that service started up a rootkit driver concealing DirtyMoe’s services, files and registry entries. At the time when it was discovered, the malware authors used their creation mostly to engage in cryptojacking. Other researchers found the threat could conduct distributed denial-of-service (DDoS) attacks, as well.

All the while, attackers used VMProtect and the malware’s own encryption algorithm to hide what they were doing. They also employed rootkit techniques for concealing the botnet and a multi-level network communication architecture to hide their servers.

The Connection to PurpleFox

The PurpleFox exploit kit has long been known to have some kind of connection to the DirtyMoe botnet. However, whether they are in fact different things is a matter of some debate. PurpleFox is older than the current version of DirtyMoe, as Trend Micro observed in September 2019 as the RIG exploit kit delivered PurpleFox. The fileless downloader ran cryptomining malware once it installed itself on a victim’s machine.

In 2020, the PurpleFox exploit kit added two new flaws to its arsenal. One of those included a bug for Internet Explorer.

Then in the spring of 2021, the malware became able to to breach Windows machines through SMB password brute force and thereafter propagate as a worm.

Defending Against DirtyMoe

Businesses and agencies can defend themselves against the DirtyMoe botnet by investing in a modern vulnerability management solution. To do so, make sure your system admins, security teams and others stay in touch with each other about potential problems. In addition, confirm that your multi-pronged anti-phishing strategy takes advantage of both employee security awareness training and technical controls, such as multifactor authentication.

More from News

Are Threat Actors Using ChatGPT to Hack Your Network?

Though the technology has only been widely available for a couple of months, everyone is talking about ChatGPT. If you are one of the few people unfamiliar with ChatGPT, it is an OpenAI language model with the “ability to generate human-like text responses to prompts.” It could be a game-changer wherever AI meshes with human interaction, like chatbots. Some are even using it to build editorial content. But, as with any popular technology, what makes it great can also make…

The White House on Quantum Encryption and IoT Labels

A recent White House Fact Sheet outlined the current and future U.S. cybersecurity priorities. While most of the topics covered were in line with expectations, others drew more attention. The emphasis on critical infrastructure protection is clearly a top national priority. However, the plan is to create a labeling system for IoT devices, identifying the ones with the highest cybersecurity standards. Few expected that news. The topic of quantum-resistant encryption reveals that such concerns may become a reality sooner than…

Malware-as-a-Service Flaunts Its Tally of Users and Victims

As time passes, the security landscape keeps getting stranger and scarier. How long did the “not if, but when” mentality towards cyberattacks last — a few years, maybe? Now, security pros think in terms of how often will their organization be attacked and at what cost. Or they consider how the difference between legitimate Software-as-a-Service (SaaS) brands and Malware-as-a-Service (MaaS) gangs keeps getting blurrier. MaaS operators provide web-based services, slick UX, tiered subscriptions, newsletters and Telegram channels that keep users…

New Survey Shows Burnout May Lead to Attrition

For many organizations and the cybersecurity industry as a whole, improving retention and reducing the skills gap is a top priority. Mimecast’s The State of Ransomware Readiness 2022: Reducing the Personal and Business Cost points to another growing concern — burnout that leads to attrition. Without skilled employees, organizations cannot protect their data and infrastructure from increasing cybersecurity attacks. According to Mimecast’s report, 77% of cybersecurity leaders say the number of cyberattacks against their company has increased or stayed the…