DirtyMoe, also known as PurpleFox, is a complex and rapidly growing malware that has been designed as a modular system. It was initially detected in 2020 with 10,000 infected systems, but by the first half of 2021, it had expanded to over 100,000 infections, according to researchers from Avast. The malware's operations changed significantly towards the end of 2020 when its authors added a worm module, enabling it to spread via the internet to other Windows systems. The DirtyMoe rootkit is typically delivered through malspam campaigns or malicious sites hosting the PurpleFox exploit kit, which triggers vulnerabilities in Internet Explorer, such as the CVE-2020-0674 scripting engine memory corruption vulnerability.
In Ukraine, the Computer Emergency Response Team (CERT-UA) has issued a warning about a malware campaign that has already infected at least 2,000 computers in the country with DirtyMoe. This alert came following a massive damage to a state-owned enterprise's computer systems caused by this malicious program. CERT-UA has taken measures to provide practical assistance to mitigate the impact of this cyber threat, guided by Clause 1 of Article 9 of the Law of Ukraine "On the Basic Principles of Ensuring Cyber Security of Ukraine".
The removal of DirtyMoe components presents a significant challenge due to the use of the rootkit, prompting CERT-UA to share technical details about the ongoing campaign, tracked as UAC-0027. The malware can infect systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, DirtyMoe can steal personal information, disrupt operations, or even hold data hostage for ransom, posing serious threats to both individual users and organizations.