The developers of the DirtyMoe botnet (which was assessed as insignificant) added to it a worm-like spreading module, after which the malware infected more than 100,000 Windows systems.
The DirtyMoe botnet which allegedly runs from China, has grown exponentially over the past year. If in 2020 it consisted of 10 thousand infected systems, then in the first half of this year it included 100 thousand systems.
The DirtyMoe botnet, also known as PurpleFox, Perkiler, and NuggetPhantom, has been known since 2017. Its main purpose was (and still is) infecting Windows systems in order to mine cryptocurrency without the awareness of the victims, although in 2018 it also discovered a function for carrying out DDoS attacks.
For most of this time, the botnet was a very modest project. Its creators mostly relied on small spam campaigns to lure victims to the site with a set of PurpleFox exploits.
The rootkit, also called DirtyMoe, PurpleFox, Perkiler, and NuggetPhantom, has been known to the cybersecurity community for a long time, but has always been seen as an interesting but insignificant threat.
According to Avast, the DirtyMoe botnet typically infected hundreds to thousands of systems annually during its existence from 2017 to 2020.
However, everything drastically changed in 2021, when DirtyMoe operators improved their project, adding a new module for worm-like distribution to other Windows systems via the Internet. This module scanned the Internet and carried out brute-force attacks on remote Windows systems with an open SMB port.
After the introduction of the new module, the number of infections increased dramatically – this year alone, more than 100,000 systems were infected. However, these figures are based only on data that is visible to Avast, that is, obtained from computers on which its antivirus solutions are installed. Therefore, the true size of the DirtyMoe botnet is much larger.
Let me remind you that I also talked about the fact that Prometei botnet attacks vulnerable Microsoft Exchange servers.