DirtyMoe Malware Infects Over 2,000 Ukrainian Computers for DDoS and Cryptojacking

DirtyMoe Malware

Ukraine’s Computer Emergency Response Team (CERT-UA) has warned that more than 2,000 computers in the country have been infected by a strain of malware called DirtyMoe.

The agency attributed the campaign to a threat actor who mentions it UAC-0027.

DirtyMoe, active since at least 2016, is capable of carrying out cryptojacking and distributed denial-of-service (DDoS) attacks. In March 2022, cybersecurity company Avast revealed the malware’s ability to spread in a worm-like manner by exploiting known security flaws.

The DDoS botnet is known to be delivered through another malware called Purple Fox or through fake MSI installation packages for popular software such as Telegram. Purple Fox too equipped with a rootkit allowing the threat actors to do this hide the malware on the machine and make it difficult to detect and remove.

The exact initial access vector used in the campaign targeting Ukraine is currently unknown. CERT-UA recommends that organizations keep their systems up to date, enforce network segmentation, and monitor network traffic for anomalous activity.

The revelation comes as Securonix detailed an ongoing phishing campaign known as STEADY#URSA targeting Ukrainian military personnel with the aim of delivering a custom PowerShell backdoor called SUBTLE-PAWS.

“The exploitation chain is relatively simple: it involves the target running a malicious shortcut file (.lnk) that loads and executes a new PowerShell backdoor payload code (found in another file in the same archive),” security researchers Den Iuzvyk, Tim Peck and Oleg Kolesnikov said.

The attack is said to be linked to a threat actor known as Shuckworm, also known as Aqua Blizzard (formerly Actinium), Armageddon, Gamaredon, Iron Tilden, Primitive Bear, Trident Ursa, UNC530 and Winterflounder. It has been active since at least 2013 and is believed to be part of Russia’s Federal Security Service (FSB).

SUBTLE-PAWS not only uses host persistence, but also uses Telegram’s blogging platform called Telegraph to retrieve the command-and-control (C2) information, a technique that has been associated with the adversary since early 2023 and which can spread via removable connected drives.

Gamaredon’s ability to spread via USB drives was also documented in November 2023 by Check Point, which named the PowerShell-based USB worm LitterDrifter.

“The SUBTLE-PAWS backdoor uses advanced techniques to dynamically execute malicious payloads,” the researchers said.

“They store and retrieve PowerShell executable code from the Windows registry, which can help evade traditional file-based detection methods. This approach also helps maintain persistence on the infected system, as the malware can reinitiate itself after restarts or other interruptions.”

#DirtyMoe #Malware #Infects #Ukrainian #Computers #DDoS #Cryptojacking

Notify of
Inline Feedbacks
View all comments
Previous Post
Russian APT28 Hackers

Russian APT28 hackers target high-value organizations with NTLM relay attacks

Next Post
Cloud Security

Integrating insights from the captured future to revolutionize cloud security

Related Posts