The analysis reveals that the worming module targets older, well-known vulnerabilities, such as Eternal blue and Hot Potato. DirtyMoe is also capable of performing a dictionary attack using Service Control Manager Remote Protocol (SCMR), WMI, and MS SQL services. The researchers also discovered an algorithm that generates victim IP addresses based on the worming module’s geo location. What does this mean?
“One worm module can generate and attack hundreds of thousands of private and public IP addresses per day; many victims are at risk since many machines still use unpatched systems or weak passwords,” the researchers said. It should also be noted that the malware uses a wholesome modular design, meaning that new worming modules can be added soon that target widespread vulnerabilities.
How Is DirtyMoe Malware Propagated in the Wild?
The researchers are currently observing three main approaches that spread the malware: PurpleFox EK, PurleFox Worm, and injected Telegram Installers serve as mediums to spread and install DirtyMoe. However, it is highly likely that the malware uses other distribution techniques as well.
The malware uses the following vulnerabilities as an entry point to a system:
CVE:2019-9082: ThinkPHP – Multiple PHP Injection RCEs
CVE:2019-2725: Oracle Weblogic Server – ‘AsyncResponseService’ Deserialization RCE
CVE:2019-1458: WizardOpium Local Privilege Escalation
CVE:2018-0147: Deserialization Vulnerability
CVE:2017-0144: EternalBlue SMB Remote Code Execution (MS17-010)
MS15-076: RCE Allow Elevation of Privilege (Hot Potato Windows Privilege Escalation)
Dictionary attacks to MS SQL Servers, SMB, and Windows Management Instrumentation (WMI)
It seems that the malware is getting more widespread globally, which is a result of its worming strategy of generating targets using a pseudo-random IP generator. This technique makes DirtyMoe more flexible and efficient. Moreover, the malware can be expanded to machines hidden behind NAT (Network Access Translation), which enables its lateral movement in local networks.
“A single DirtyMoe instance can generate and attack up to 6,000 IP addresses per second,” the report added.
The amount of active DirtyMoe instances could mean that it could endanger hundreds of thousands of machines per day. The emergence of new critical vulnerabilities, such as Log4j, further provide “a tremendous and powerful opportunity to implement a new worming module.” That is why the researchers will continue to monitor DirtyMoe’s worming activities, looking for new modules.