Avast researchers have observed DirtyMoe malware acquiring new worm-like propagation capabilities, which allows it to extend its reach without requiring any user interaction.
According to Avast researcher Martin Chlumecky, DirtyMoe’s worming module targets older well-known susceptibilities, such as EternalBlue and Hot Potato Windows privilege escalation. One worm module can generate and target hundreds of thousands of private and public IP addresses per day. Many machines still use unpatched systems or weak passwords, leaving many victims at risk.
Cybersecurity researchers are currently observing three main techniques that spread the malware: PurpleFox EK, PurpleFox Worm, and injected installers of Telegram Messenger which serve as mediums to spread and install DirtyMoe. However, it is highly likely that the malware uses other distribution techniques as well.
The malware also has a service that leads to the launch of two additional processes for loading modules for Monero mining and spreading malware in a worm-like manner. The worming modules target victim devices by employing multiple bugs to install the malware, with each module targeting a specific vulnerability based on information gathered post exploration –
• CVE-2019-9082: ThinkPHP – Multiple PHP Injection RCEs
• CVE-2019-2725: Oracle Weblogic Server – 'AsyncResponseService' Deserialization RCE
• CVE-2019-1458: WizardOpium Local Privilege Escalation
• CVE-2018-0147: Deserialization Vulnerability
• CVE-2017-0144: EternalBlue SMB Remote Code Execution (MS17-010)
• MS15-076: RCE Allow Elevation of Privilege (Hot Potato Windows Privilege Escalation)
• Dictionary attacks aimed at MS SQL Servers, SMB, and Windows Management Instrumentation (WMI) services with weak passwords
"The main goal of the worming module is to achieve RCE under administrator privileges and install a new DirtyMoe instance," Chlumecký explained, adding one of the component's primary functions is to generate a list of IP addresses to attack based on the geological location of the module.
In addition, another in-development worming module was unearthed to incorporate exploits targeting PHP, Java Deserialization, and Oracle Weblogic Servers, implying that the malicious actors are looking to widen the scope of the infections.
"Worming target IPs are generated utilizing the cleverly designed algorithm that evenly generates IP addresses across the world and in relation to the geological location of the worming module," Chlumecký concluded. "Moreover, the module targets local/home networks. Because of this, public IPs and even private networks behind firewalls are at risk."