Pierluigi Paganini February 02, 2024

The Computer Emergency Response Team in Ukraine (CERT-UA) reported that a PurpleFox malware campaign had already infected at least 2,000 computers in the country.

The Computer Emergency Response Team in Ukraine (CERT-UA) is warning about a malware campaign that has infected at least 2,000 computers in the country with the PurpleFox malware (aka ‘DirtyMoe‘).

“The Government Computer Emergency Response Team of Ukraine CERT-UA, guided by Clause 1 of Article 9 of the Law of Ukraine “On the Basic Principles of Ensuring Cyber ​​Security of Ukraine”, took measures to provide practical assistance to a state-owned enterprise due to the massive damage to the organization’s computers by the malicious program DIRTYMOE (PURPLEFOX).” reads the alert published by CERT-UA. “As part of a detailed study of the cyber threat, a study of the received samples of malicious programs was conducted, the peculiarities of the functioning of the management server infrastructure were established, and more than 2,000 affected computers were identified in the Ukrainian segment of the Internet.”

In June 2021, researchers from Avast warned of the rapid growth of the DirtyMoe botnet (PurpleFox, Perkiler, and NuggetPhantom), which passed from 10,000 infected systems in 2020 to more than 100,000 in the first half of 2021. Experts defined DirtyMoe as a complex malware that has been designed as a modular system.

The Windows botnet has been active since late 2017, it was mainly used to mine cryptocurrency, but it was also involved in DDoS attacks in 2018. The DirtyMoe rootkit was delivered via malspam campaigns or served by malicious sites hosting the PurpleFox exploit kit that triggers vulnerabilities in Internet Explorer, such as the CVE-2020-0674 scripting engine memory corruption vulnerability.

The operations behind the DirtyMoe botnet rapidly changed since the end of 2020, when the malware authors added a worm module that could increase their activity by spreading via the internet to other Windows systems.

CERT-UA shared technical details about the ongoing campaign, tracked as UAC-0027, due to the complexity of removing the DIRTYMOE components due to the use of the rootkit.

In the attacks observed by the Ukrainian authorities, the infection chain relies on MSI installers to deploy the PurpleFox malware.

The malware uses exploits for known vulnerabilities and password brute-forcing attacks for self-propagation.

Between January 20 and January 31, 2024, CERT-UA identified 486 IP addresses associated with intermediate control servers. The majority of these addresses are linked to (compromised) equipment located in China. Approximately 20 new IP addresses are added daily.

The alert includes indicators of compromise and guidance to remove the malware from the infected systems.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, PurpleFox malware)