Last Updated on 21/03/2022 by Nidhi Khandelwal
According to a new study, the virus known as DirtyMoe has obtained new worm-like propagation characteristics that allow it to spread its reach without any user engagement.
In a paper published Wednesday, Avast researcher Martin Chlumeck wrote, “The worming module targets earlier well-known vulnerabilities, such as EternalBlue and Hot Potato Windows privilege escalation.”
“On a daily basis, a single worm module can produce and target hundreds of thousands of private and public IP addresses; many victims are at risk because many PCs still use unpatched systems or weak passwords.”
The DirtyMoe botnet has been active since 2016, and it uses external exploit kits like PurpleFox or implanted Telegram Messenger installers to carry out cryptojacking and distributed denial-of-service (DDoS) assaults.
A DirtyMoe service is also used as part of the attack sequence, which launches two more processes, the Core and the Executioner, which are used to load the modules for Monero mining and to spread the malware in a worm-like fashion.
“The worming module’s main purpose is to achieve RCE under administrator privileges and install a new DirtyMoe instance,” Chlumeck said, adding that one of the component’s core functions is to produce a list of IP addresses to target depending on the module’s geological location.
Furthermore, attacks targeting PHP, Java Deserialization, and Oracle Weblogic Servers were discovered in another in-development worming module, hinting that the attackers are seeking to widen the scope of the infections.