DirtyMoe's Botnet Unleashes 600% Spike In Windows Attacks
By: Jim Stickley and Tina Davis
April 18, 2022
The DirtyMoe Windows botnet has been crazy-busy this year and is getting more active daily. From May of last year to the beginning of 2021 alone, security experts found a total of 90,000 DirtyMoe attacks, a 600% spike overall. According to Avast researchers, DirtyMoe grew from infecting 10,000 Window’s systems in 2020 to over 100,000 in the first half of this year. Experts believe the actual number of infected systems could be much greater than Avast’s findings.
First detected in 2016, DirtyMoe has what some call a “fascinating evolution” with its start as cryptojacking malware. It evolved into its current iteration by successfully using anti-tracking, anti-forensic, and anti-debugging techniques on Windows systems. These abilities allow DirtyMoe to infect systems with very little to no detection by anti-virus solutions. By the end of last year, the botnet authors added a worm module allowing DirtyMoe to use the internet to spread into Windows systems, greatly increasing its nefarious capabilities.
What can you do? At the moment, staying on top of updates and patches is key. Also, watch for phishing attempts that appear in your email inbox. And although it has evaded anti-virus solutions, it’s still important to have that installed on all devices and that it’s kept updated at all times.
Currently, the countries most targeted by DirtyMoe are Russia, Ukraine, Vietnam, and Brazil. The malware is also leading attacks in Europe and Asia, including a significant number of strikes in the U.S. It’s widely agreed that we can all expect to see more of DirtyMoe in the near future.
Since DirtyMoe needs an exploit kit to deploy its malware, Purple Fox hacking group has become a close ally for spreading its attacks. The primary purpose behind Purple Fox is to infect a system and distribute malware belonging to others. Some experts speculate whether the two are separate malware groups or if Purple Fox is being paid to distribute DirtyMoe’s malware.
DirtyMoe and Purple Fox also have similar network infrastructures, further fueling speculation that the two are controlled by the same hacking group. Regardless, attacks by the two continue to escalate. DirtyMoe’s command and control (C&C) servers are located in China, suggesting its threat actors are operating on a global level. Among the currently unanswered questions, one thing is known for sure – DirtyMoe’s attacks are thriving and need to be closely monitored.