Malware called DirtyMoe has received new worm-like distribution capabilities that allow it to expand its scope without requiring any user interaction.
“The module uses old known vulnerabilities, for example, EternalBlue and the Windows Hot Potato privilege escalation vulnerability. One worm-like module can generate and attack hundreds of thousands of private and public IP addresses per day. Many companies are at risk of attacks because they still use unpatched systems or unreliable passwords,” said specialist Martin Chlumecky from Avast.
The DirtyMoe botnet has been used since 2016 to conduct cryptojacking and distributed denial of service (DDoS) attacks. The malware is deployed using external exploit kits, such as PurpleFox, or embedded Telegram Messenger installers.
The attacks also use the DirtyMoe service, which launches two additional processes (Core and Executioner) to load Monero cryptocurrency mining modules and worm-like malware distribution.
Modules attack computers using multiple vulnerabilities to install malware, with each module targeting a specific vulnerability:
-
CVE-2019-9082: ThinkPHP – RCE vulnerability;
-
CVE-2019-2725: Oracle Weblogic Server – RCE-AsyncResponseService Deserialization vulnerability;
-
CVE-2019-1458: WizardOpium Local Privilege Escalation Vulnerability;
-
CVE-2018-0147: Deserialization Vulnerability;
-
CVE-2017-0144: RCE-EternalBlue SMB vulnerability (MS17-010);
-
MS15-076: Hot Potato Windows privilege escalation vulnerability.
The main purpose of the worm-like worm module is to be able to remotely execute code with administrator rights and install a new instance of DirtyMoe. One of the main functions of the component is to create a list of IP addresses for an attack based on the geological location of the module.