DirtyMoe botnet potentially infected tens of thousands of computers in Russia with hidden miners

Since the beginning of 2021, about 65,000 computers in Russia have been infected with the DirtyMoe botnet. The main goal of the malware remains to install a hidden cryptocurrency miner on the victim’s device. This is stated in Avast’s Avast study.

Experts say DirtyMoe has been active since 2017 and is controlled from China. The attackers install a set of programs on the victim’s computer that ensure the malware’s persistent presence, as a result the device becomes part of the botnet.

Data: Avast.

In addition to mining cryptocurrency, the attackers can use the victim’s computer for DDoS attacks or theft of confidential data, including keylogging.

Data: Avast.

The total number of infected systems exceeds 100,000, although at the end of 2020 it was no more than 10,000. The statistics are collected only from machines where Avast antivirus is installed, so the actual size of the botnet is likely much larger.

Data: Avast.

Usually DirtyMoe spreads via spam, luring users to malicious sites where the PurpleFox exploits are hosted. Avast ties the spike in infections to the appearance of the botnet’s worm module. Now it can automatically scan the Internet and crack remote Windows computers by password guessing.

Researchers explained the rise in attacks on users from Russia by the use of pirated software and delayed OS updates. The most common vulnerability exploited by DirtyMoe is the abuse of Internet Explorer, as Microsoft will end support for it in the summer of 2022.

Avast urged users not to ignore installing the necessary updates and to use antivirus software.

Earlier in June, US authorities arrested 55-year-old Russian national Alla Vitte on suspicion of the creation of the well-known TrickBot botnet.

Subscribe to ForkLog news on Telegram: ForkLog Feed — the full feed of news, ForkLog — the most important news, infographics and opinions.