DirtyMoe Malware

The meteoric rise in popularity, spurred by the even more impressive gains in value made by several different cryptocurrencies, put the previously niche sector right into the public limelight. Threat actors also noticed the trend and quickly shifted their operations towards abusing it. Numerous botnets and malware tools were either created or equipped with crypto-mining capabilities. The threat actors can then hijack the resources of thousands of compromised systems and use them to mine coins of a specific cryptocurrency. One of the latest and most sophisticated malware tools of this type is the DirtyMoe malware. So far the threat has been leveraged against targets in Russia but victims have also been detected in European and Asian countries. According to infosec researchers, close to a hundred thousand machines infected with DirtyMoe are active currently.

The initial versions of DirtyMoe were tracked by infosec researchers under the name NuggetPhantom and they were often unstable and easily caught by cybersecurity products. Since then, however, the malware has undergone significant evolution and is now an elusive, modular threat that exhibits multiple anti-detection and anti-analysis techniques.

DirtyMoe's attack chain begins with the hackers looking for victims vulnerable to several exploits. One of them is the infamous EternalBlue (CVE-2017-0144) vulnerability that emerged in 2017 but, apparently, there are enough unsecured systems left to make threat actors find it worthwhile to continue abusing it in their harmful operations. Another of the exploits favored by DirtyMoe is the Scripting Engine Memory Corruption Vulnerability (CVE-2020-0674) found in Internet Explorer. Victims are lured via phishing emails containing unsafe URLs.

Modular Structure

The main characteristic of the DirtyMoe malware is its modularity. The main component is DirtyMoe Core. It is responsible for downloading, updating, encryption, creating backups, and protecting the DirtyMoe threat. The Core also is tasked with feeding a corrupted code to the DirtyMoe Executioner, which will then, as the name suggests, execute it. The injected code is named either MOE Object or Module and is fetched from the Command-and-Control server of the operation.

The specific behavior of the malware threat can further be adjusted to fit the goals of the threat actors. The cybercriminals can command DirtyMoe to download an encrypted payload carrying the desired functionality and then inject it into itself. In a couple of hours, thousands of instances of DirtyMoe can be modified in this manner. Indeed, DirtyMoe can be used to launch DDoS attacks, perform crypto-mining activities, or deliver additional threatening payloads, such as data collectors, ransomware, Trojans and more.

Potent Hiding and Self-Defense Capabilities

DirtyMoe employs VMProtect to safeguard its main threatening core. It also utilizes a Windows driver that exhibits several functionalities usually found in rootkits such as service, Registry entry and driver hiding. The driver can further be instructed to hide specific files on the system volume of the infected machine or inject arbitrary DLLs into any newly created processes. Network communication also is achieved through a potent technique. The threat carries a set of hardcoded DNS servers that it uses to make a DNS request to one hard-coded domain. However, for the final IP address and port, DirtyMoe uses a different sequence of DNS requests. As a result, DirtyMoe becomes resistant to having its final IP being blocked. It also is practically unrealistic to block DNS requests to DNS servers such as Google, Cloudflare and similar services.