DirtyMoe modules expand the bot using worm-like techniques

The DirtyMoe botnet continues to evolve and now includes a module that implements wormable propagation capabilities.

In June 2021, researchers from Avast warned of the rapid growth of the DirtyMoe botnet (PurpleFox, Perkiler, and NuggetPhantom), which passed from 10,000 infected systems in 2020 to more than 100,000 in the first half of 2021. Experts defined DirtyMoe as a complex malware that has been designed as a modular system.

The Windows botnet has been active since late 2017, it was mainly used to mine cryptocurrency, but it was also involved in DDoS attacks in 2018. The DirtyMoe rootkit was delivered via malspam campaigns or served by malicious sites hosting the PurpleFox exploit kit that triggers vulnerabilities in Internet Explorer, such as the CVE-2020-0674 scripting engine memory corruption vulnerability.

The operations behind the DirtyMoe botnet rapidly changed since the end of 2020, when the malware authors added a worm module that could increase their activity by spread via the internet to other Windows systems.

Now Avast researchers provided details of a DirtyMoe module that uses worm-like techniques to allow the threat to spread without user interaction.

“The analysis showed that the worming module targets older well-known vulnerabilities, e.g., EternalBlue and Hot Potato Windows Privilege Escalation. Another important discovery is a dictionary attack using Service Control Manager Remote Protocol (SCMR), WMI, and MS SQL services. Finally, an equally critical outcome is discovering the algorithm that generates victim target IP addresses based on the worming module’s geographical location.” reads an analsys published by Avast.”One worm module can generate and attack hundreds of thousands of private and public IP addresses per day; many victims are at risk since many machines still use unpatched systems or weak passwords.”

The DirtyMoe service is run as a svchost process that starts the DirtyMoe Core and Executioner processes, the latter manages the malware modules. The executioner loads two modules, a Monero miner and a module for worming replication.

The DirtyMoe worm exploits the following vulnerabilities to spread the malware:

• CVE-2019-9082: ThinkPHP – Multiple PHP Injection RCEs
• CVE-2019-2725: Oracle Weblogic Server – ‘AsyncResponseService’ Deserialization RCE
• CVE-2019-1458: WizardOpium Local Privilege Escalation
• CVE-2018-0147: Deserialization Vulnerability
• CVE-2017-0144: EternalBlue SMB Remote Code Execution (MS17-010)
• MS15-076: RCE Allow Elevation of Privilege (Hot Potato Windows Privilege Escalation)
• Dictionary attacks aimed at MS SQL Servers, SMB, and Windows Management Instrumentation (WMI) services with weak passwords

The worming module is designed to achieve RCE under administrator privileges and install the DirtyMoe.

The key feature of this module is the generation of IP addresses (IPs) to attack. The malware implements six methods to generate IPs with the help of a pseudo-random generator.

“We also discovered one worming module in development containing other vulnerability exploit implementations – it did not appear to be fully armed for deployment. However, there is a chance that tested exploits are already implemented and are spreading in the wild.” concludes the analysis. “Based on the amount of active DirtyMoe instances, it can be argued that worming can threaten hundreds of thousands of computers per day. Furthermore, new vulnerabilities, such as Log4j, provide a tremendous and powerful opportunity to implement a new worming module. With this in mind, our researchers continue to monitor the worming activities and hunt for other worming modules.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)

[adrotate banner=”5″]

[adrotate banner=”13″]