Select Page

The malware known as DirtyMoe has gained new worm-like propagation capabilities that allow it to expand its reach without requiring any user interaction, the latest research has found.

“The worming module targets older well-known vulnerabilities, e.g., EternalBlue and Hot Potato Windows privilege escalation,” Avast researcher Martin Chlumecký said in a report published Wednesday.

“One worm module can generate and attack hundreds of thousands of private and public IP addresses per day; many victims are at risk since many machines still use unpatched systems or weak passwords.”

Active since 2016, the DirtyMoe botnet is used for carrying out cryptojacking and distributed denial-of-service (DDoS) attacks, and is deployed by means of external exploit kits like PurpleFox or injected installers of Telegram Messenger.

Also employed as part of the attack sequence is a DirtyMoe service that triggers the launch of two additional processes, namely the Core and the Executioner, which is used to load the modules for Monero mining and to spread the malware in a worm-like manner.

images from Hacker News