icon

Digital safety starts here for both commercial and personal Use...

Defend Your Business Against the Latest WNY Cyber Threats We offer Safe, Secure and Affordable Solutions for your Business and Personal Networks and Devices.



WNYCyber is there to help you to choose the best service providers in Western New York... We DO NOT provide the services ourselves, as we are Internet Programmers who have to deak daily with Cyber Threats... (Ugghhh)... So we know what it's like and what it takes to protect OUR and OUR CUSTOMERS DATA... We built this Website to help steer you to those that can give you the best service at realistic and non-inflated prices. We do charge or collect any fees.

Buffalo, New York
United States

Current Threat Data

Dirtymoe (Purplefox) Affected More Than 2000 Computers in Ukraine

Summary:
The Government Computer Emergency Response Team of Ukraine (CERT-UA) took action under the law to assist a state-owned enterprise facing significant damage from the DIRTYMOE (PURPLEFOX) malicious program, affecting over 2,000 computers in the Ukrainian internet segment. Analysis of malware samples and reference to reports from Avast and Trendmicro aided in understanding the threat's intricacies. The Technical Information section provides details for handling the issue, emphasizing the importance of segregating outdated systems and implementing filtering measures.

Security Officer Comments:
DIRTYMOE, a known modular malware, enables remote access, primarily for DDoS attacks and mining, and uses a rootkit for persistent presence. It spreads through popular software with an MSI installer and employs various methods for self-propagation, exploiting vulnerabilities and using obfuscated IP addresses. The management infrastructure's fault tolerance involves multiple communication methods. During a monitoring period in January 2024, 486 intermediate control servers were identified, mostly in compromised equipment located in China, with around 20 new IP addresses added daily. The ongoing activity is tracked by the identifier UAC-0027, and entities are urged to eliminate the cyber threat based on CERT-UA-provided information available here:

Suggested Corrections:
To search for signs of damage:

  1. Examine network connections using the list of IP addresses listed in the application. Typically, outgoing connections are made to "high" (10000+) network ports.
  2. Using the standard utility regedit.exe, check the values in the registry of the operating system by keys (Fig. 1):
  • for WindowsXP: HKEY_LOCAL_MACHINE\ControlSet001\Services\AC0[0-9]
  • for Windows7: HKEY_LOCAL_MACHINE\Software\Microsoft\DirectPlay8\Direct3D
  1. Using the standard Event Viewer utility in the "Application" log (source: "MsiInstaller"), examine the entries with event identifiers 1040 and 1042 (Fig. 3).
  2. Visually inspect the directory "C:\Program Files" for the presence of folders with an arbitrarily generated name, for example: "C:\Program Files\dvhvA".
  3. The persistence of the launch of the malicious program is ensured by creating a service. In turn, backdoor and module files are stored in standard directories (listed below). At the same time, the use of a rootkit prevents the detection and/or removal of the malicious program directly from the affected computer.

HKEY_LOCAL_MACHINE\System\ControlSet001\services\MsXXXXXXXXXApp C:\Windows\System32\MsXXXXXXXXXApp.dll C:\Windows\AppPatch\DBXXXXXXMK.sdb C:\Windows\AppPatch\RCXXXXXXXXXMS.sdb C:\Windows\AppPatch\TKXXXXXXXXXMS.sdb

  • XXXXXXXX - arbitrarily generated sequence in the range [A-F0-9]{8} (example: "MsBA4B6B3AApp.dll")

Additionally, the linked resources includes IOCS, and ways companies can search for and remove the malicious programs.

Link(s):
https://cert.gov.ua/article/6277422

Contact Us for Threat Assistance
Back to Current Threats