{"id":44915,"date":"2021-06-24T14:49:18","date_gmt":"2021-06-24T11:49:18","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=44915"},"modified":"2025-08-31T19:13:47","modified_gmt":"2025-08-31T16:13:47","slug":"dirtymoe-botnet-potentially-infected-tens-of-thousands-of-computers-in-russia-with-hidden-miners","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/dirtymoe-botnet-potentially-infected-tens-of-thousands-of-computers-in-russia-with-hidden-miners\/","title":{"rendered":"DirtyMoe botnet potentially infected tens of thousands of computers in Russia with hidden miners"},"content":{"rendered":"<p>Since the beginning of 2021, about 65,000 computers in Russia have been infected with the DirtyMoe botnet. The main goal of the malware remains to install a hidden cryptocurrency miner on the victim&#8217;s device. This is stated in Avast&#8217;s <a href=\\\"https:\/\/decoded.avast.io\/martinchlumecky\/dirtymoe-1\/\\\" target=\\\"_blank\\\" rel=\\\"noopener\\\">Avast study<\/a>.<\/p>\n<p>Experts say DirtyMoe has been active since 2017 and is controlled from China. The attackers install a set of programs on the victim&#8217;s computer that ensure the malware&#8217;s persistent presence, as a result the device becomes part of the botnet.<\/p>\n<div id=\\\"attachment_140122\\\" style=\\\"width: 669px\\\" class=\\\"wp-caption alignnone\\\"><img loading=\\\"lazy\\\" decoding=\\\"async\\\" aria-describedby=\\\"caption-attachment-140122\\\" class=\\\"size-full wp-image-140122\\\" src=\\\"https:\/\/forklog.com\/wp-content\/uploads\/Figure-3-alg.png\\\" alt=\\\"The DirtyMoe botnet potentially infected tens of thousands of computers in Russia with hidden miners\\\" width=\\\"659\\\" height=\\\"327\\\" srcset=\\\"https:\/\/forklog.com\/wp-content\/uploads\/Figure-3-alg.png 659w, https:\/\/forklog.com\/wp-content\/uploads\/Figure-3-alg-300x149.png 300w\\\" sizes=\\\"auto, (max-width: 659px) 100vw, 659px\\\" \/><\/p>\n<p id=\\\"caption-attachment-140122\\\" class=\\\"wp-caption-text\\\">Data: Avast.<\/p>\n<\/div>\n<p>In addition to mining cryptocurrency, the attackers can use the victim&#8217;s computer for DDoS attacks or theft of confidential data, including keylogging.<\/p>\n<div id=\\\"attachment_140120\\\" style=\\\"width: 878px\\\" class=\\\"wp-caption alignnone\\\"><img loading=\\\"lazy\\\" decoding=\\\"async\\\" aria-describedby=\\\"caption-attachment-140120\\\" class=\\\"size-full wp-image-140120\\\" src=\\\"https:\/\/forklog.com\/wp-content\/uploads\/Figure-2.-Kill-Chain-Exploitation-and-Installation-1.png\\\" alt=\\\"The DirtyMoe botnet potentially infected tens of thousands of computers in Russia with hidden miners\\\" width=\\\"868\\\" height=\\\"555\\\" srcset=\\\"https:\/\/forklog.com\/wp-content\/uploads\/Figure-2.-Kill-Chain-Exploitation-and-Installation-1.png 868w, https:\/\/forklog.com\/wp-content\/uploads\/Figure-2.-Kill-Chain-Exploitation-and-Installation-1-300x192.png 300w, https:\/\/forklog.com\/wp-content\/uploads\/Figure-2.-Kill-Chain-Exploitation-and-Installation-1-768x491.png 768w\\\" sizes=\\\"auto, (max-width: 868px) 100vw, 868px\\\" \/><\/p>\n<p id=\\\"caption-attachment-140120\\\" class=\\\"wp-caption-text\\\">Data: Avast.<\/p>\n<\/div>\n<p>The total number of infected systems exceeds 100,000, although at the end of 2020 it was no more than 10,000. The statistics are collected only from machines where Avast antivirus is installed, so the actual size of the botnet is likely much larger.<\/p>\n<div id=\\\"attachment_140121\\\" style=\\\"width: 890px\\\" class=\\\"wp-caption alignnone\\\"><img loading=\\\"lazy\\\" decoding=\\\"async\\\" aria-describedby=\\\"caption-attachment-140121\\\" class=\\\"size-full wp-image-140121\\\" src=\\\"https:\/\/forklog.com\/wp-content\/uploads\/Figure-4.-Distribution-of-hits-in-point-of-the-country-view.png\\\" alt=\\\"The DirtyMoe botnet potentially infected tens of thousands of computers in Russia with hidden miners\\\" width=\\\"880\\\" height=\\\"347\\\" srcset=\\\"https:\/\/forklog.com\/wp-content\/uploads\/Figure-4.-Distribution-of-hits-in-point-of-the-country-view.png 880w, https:\/\/forklog.com\/wp-content\/uploads\/Figure-4.-Distribution-of-hits-in-point-of-the-country-view-300x118.png 300w, https:\/\/forklog.com\/wp-content\/uploads\/Figure-4.-Distribution-of-hits-in-point-of-the-country-view-768x303.png 768w\\\" sizes=\\\"auto, (max-width: 880px) 100vw, 880px\\\" \/><\/p>\n<p id=\\\"caption-attachment-140121\\\" class=\\\"wp-caption-text\\\">Data: Avast.<\/p>\n<\/div>\n<p>Usually DirtyMoe spreads via spam, luring users to malicious sites where the PurpleFox exploits are hosted. Avast ties the spike in infections to <a href=\"https:\/\/forklog.com\/en\/news\/purple-fox-botnet-acquires-worm-like-traits-to-disseminate-a-hidden-miner\">the appearance of the botnet&#8217;s worm module<\/a>. Now it can automatically scan the Internet and crack remote Windows computers by password guessing.<\/p>\n<p>Researchers explained the rise in attacks on users from Russia by the use of pirated software and delayed OS updates. The most common vulnerability exploited by DirtyMoe is the abuse of Internet Explorer, as Microsoft will end support for it in the summer of 2022.<\/p>\n<p>Avast urged users not to ignore installing the necessary updates and to use antivirus software.<\/p>\n<p>Earlier in June, US authorities arrested 55-year-old Russian national Alla Vitte on suspicion of <a href=\"https:\/\/forklog.com\/en\/news\/55-year-old-rostov-on-don-woman-identified-as-trickbot-botnet-operator\">the creation of the well-known TrickBot botnet<\/a>.<\/p>\n<p>Subscribe to ForkLog news on Telegram: <a href=\\\"https:\/\/t.me\/forklogfeed\\\" target=\\\"_blank\\\" rel=\\\"nofollow noopener\\\">ForkLog Feed<\/a> \u2014 the full feed of news, <a href=\\\"https:\/\/telegram.me\/forklog\\\" target=\\\"_blank\\\" rel=\\\"nofollow noopener\\\">ForkLog<\/a> \u2014 the most important news, infographics and opinions.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Since the beginning of 2021, about 65,000 computers in Russia have been infected with the DirtyMoe botnet. The main goal of the malware remains to install a hidden cryptocurrency miner on the victim\u2019s device.<\/p>\n","protected":false},"author":1,"featured_media":44916,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1573,1154,27],"class_list":["post-44915","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-botnet","tag-crimes","tag-russia"],"aioseo_notices":[],"amp_enabled":true,"views":"22","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/44915","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=44915"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/44915\/revisions"}],"predecessor-version":[{"id":44917,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/44915\/revisions\/44917"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/44916"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=44915"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=44915"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=44915"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}