DirtyMoe Botnet has Infected over 100,000 Windows Systems

More than 100,000 Windows systems have been infected with the DirtyMoe malware. According to cyber-security firm Avast, a Windows malware botnet thought to be managed out of China has surged this year, increasing from 10,000 infected systems in 2020 to more than 100,000 in the first half of 2021. The malware, which goes by the names DirtyMoe, PurpleFox, Perkiler, and NuggetPhantom, has been circulating since late 2017. 

Its main goal has been to infect Windows systems and mine cryptocurrency behind the users’ backs, although the functionality to execute DDoS assaults was discovered in 2018. The botnet was a small-scale operation for the majority of its existence. Its authors mostly used email spam to get people to malicious websites that hosted the PurpleFox exploit kit. 

This web-based attack tool took use of browser vulnerabilities, most commonly in Internet Explorer, to install a rootkit component on unpatched Windows computers, giving the malware complete control over the affected host, which is then used for crypto-mining. This rootkit, also known as DirtyMoe, PurpleFox, Perkiler, and NuggetPhantom, was well-known in the cyber-security field, but it was only considered a minor threat. 

According to Avast, the DirtyMoe botnet had an annual average of a few hundred to a few thousand infected systems for the majority of its life from 2017 to 2020. Things changed dramatically near the end of 2021 when the DirtyMoe gang released an update to their operation that included a worm module that allowed the malware to spread across the internet to other Windows systems. “Recently, a new infection vector that cracks Windows machines through SMB password brute force is on the rise” reads the analysis published by Avast. This module scoured the internet for distant Windows machines that had left their SMB port exposed online and launched password brute-force attacks against them. 

The malware’s SMB propagation module allowed it to explode in terms of infections on a logarithmic scale, with over 100,000 systems affected this year alone, according to Avast. However, this figure is based solely on Avast’s visibility—that is, PCs with the antivirus software installed. The true magnitude of the DirtyMoe botnet is thought to be far larger. 

A report from Tencent, a Chinese security firm, detected an increase in DirtyMoe/PurpleFox infections in China over the course of 2021, reflecting the comparable explosion in infection numbers reported by Avast in Europe, Asia, and America at the start of the month.