Dirtymoe (Purplefox) Affected More Than 2000 Computers in Ukraine

The Government Computer Emergency Response Team of Ukraine (CERT-UA) took action under the law to assist a state-owned enterprise facing significant damage from the DIRTYMOE (PURPLEFOX) malicious program, affecting over 2,000 computers in the Ukrainian internet segment. Analysis of malware samples and reference to reports from Avast and Trendmicro aided in understanding the threat's intricacies. The Technical Information section provides details for handling the issue, emphasizing the importance of segregating outdated systems and implementing filtering measures.

Security Officer Comments:
DIRTYMOE, a known modular malware, enables remote access, primarily for DDoS attacks and mining, and uses a rootkit for persistent presence. It spreads through popular software with an MSI installer and employs various methods for self-propagation, exploiting vulnerabilities and using obfuscated IP addresses. The management infrastructure's fault tolerance involves multiple communication methods. During a monitoring period in January 2024, 486 intermediate control servers were identified, mostly in compromised equipment located in China, with around 20 new IP addresses added daily. The ongoing activity is tracked by the identifier UAC-0027, and entities are urged to eliminate the cyber threat based on CERT-UA-provided information available here:

Suggested Corrections:
To search for signs of damage:

  1. Examine network connections using the list of IP addresses listed in the application. Typically, outgoing connections are made to "high" (10000+) network ports.
  2. Using the standard utility regedit.exe, check the values in the registry of the operating system by keys (Fig. 1):
  • for WindowsXP: HKEY_LOCAL_MACHINE\ControlSet001\Services\AC0[0-9]
  • for Windows7: HKEY_LOCAL_MACHINE\Software\Microsoft\DirectPlay8\Direct3D
  1. Using the standard Event Viewer utility in the "Application" log (source: "MsiInstaller"), examine the entries with event identifiers 1040 and 1042 (Fig. 3).
  2. Visually inspect the directory "C:\Program Files" for the presence of folders with an arbitrarily generated name, for example: "C:\Program Files\dvhvA".
  3. The persistence of the launch of the malicious program is ensured by creating a service. In turn, backdoor and module files are stored in standard directories (listed below). At the same time, the use of a rootkit prevents the detection and/or removal of the malicious program directly from the affected computer.

HKEY_LOCAL_MACHINE\System\ControlSet001\services\MsXXXXXXXXXApp C:\Windows\System32\MsXXXXXXXXXApp.dll C:\Windows\AppPatch\DBXXXXXXMK.sdb C:\Windows\AppPatch\RCXXXXXXXXXMS.sdb C:\Windows\AppPatch\TKXXXXXXXXXMS.sdb

  • XXXXXXXX - arbitrarily generated sequence in the range [A-F0-9]{8} (example: "MsBA4B6B3AApp.dll")

Additionally, the linked resources includes IOCS, and ways companies can search for and remove the malicious programs.