DirtyMoe botnet exploits old flaws to increase its infection rate

March 24, 2022
DirtyMoe Botnet Malware Vulnerability Exploit Flaws Infection Rate Increase

The DirtyMoe botnet has obtained new worm-like propagation abilities to expand its infection field without user interactions.

According to researchers, the worming module targets are previously known vulnerabilities such as Hot Potato Windows Privilege Escalation and Windows Blue. It is also revealed that a single worm module could create and attack thousands of public and private IP addresses per day.

Many victims are prone to these attacks since numerous machines still utilise unpatched systems and weak passwords.

Threat actors utilise the DirtyMoe malware for executing cryptojacking and DDoS campaigns. They also launch it through the injected installers of Telegram Messenger or external exploit kits like PurpleFox.

The threat actors also employ an attack sequence that is part of their service, deploying two additional processes called “Core” and “the Executioner.” These two processes load the modules of Monero and distribute the malware.

The worming modules infect the targets’ devices by utilising numerous flaws to install the DirtyMoe. The modules exploit vulnerabilities such as CVE-2019-9082, CVE-2019-2725, CVE-2019-1458, CVE-2018-0147, CVE-2017-0144, and an RCE known as MS15-076.

DirtyMoe threat actors also operate a brute-force attack against MS SQL servers, Windows Management Instrumentation (WMI), and SMB services with sub-par passwords.

 

Researchers assumed that the threat actors are trying to abuse under administrator privileges to deploy the new DirtyMoe botnet effectively.

 

The main objective of the worming module launched by the threat actors is to acquire RCE under administrator privileges and install their new DirtyMoe malware. The researchers also mentioned that the hackers added one of the component’s core features to develop a list of IP addresses to conduct an onslaught against users based on the module’s location.

Another developing worming module consisted of exploits targeting Oracle Weblogic Servers, PHP, and Java Deserialisation. This in-development module implies that the threat actors are seeking to widen the scope of their infection.

Worm modules targeting IPs are created by cleverly designing an algorithm that evenly produces IP addresses worldwide and then targets home and local networks. Private and public IP networks behind firewalls are prone to the botnet.

About the author