A new version of the DirtyMoe botnet has been discovered with major modifications in the form of anti-forensic, anti-debugging, and anti-tracking capabilities. With the new release, actors boast of a threat profile that can’t be tracked or identified easily.

How does it work?

The attackers use phishing emails and infected files that include URLs to exploit IE vulnerabilities to gain higher privileges. 
  • It uses PurpleFox’s exploit kit to abuse the EternalBlue exploit kit.
  • The attack starts with the threat actors trying to obtain admin privileges on a targeted Windows machine. 
  • After obtaining admin rights, attackers use the Windows MSI installer to drop DirtyMoe that exploits Windows Session Manager to overwrite a System Event Notification file sens[.]dll.

Hiding techniques

  • The attackers use VMProtect and their own encryption algorithm to evade detection.
  • Additionally, they use rootkit methods to hide botnets and multi-level network communication infrastructure to protect servers.

Going by reports, the malware authors used the new malware mostly in cryptojacking attacks. Meanwhile, other researchers claim that DirtyMoe could be used to carry out DDoS attacks as well.


Threat actors behind DirtyMoe are in a quest to make this malware more capable by adding new vulnerability exploits to its code. Deploying vulnerability management solutions is one effective way to protect networks and systems. Further, enterprises must ensure that an adequate anti-phishing strategy for better protection.

Cyware Publisher