We have seen DirtyMoe being spread by various exploit kits such as PurpleFox or via injected installers, for example, as seen for Telegram’s installer. However, one of the DirtyMoe modules also implements worming techniques to spread itself. In this next DirtyMoe series, we will dissect this module...
The DirtyMoe is delivered by the PurpleFox exploit kit as the MSI installer package. The MSI installer is a popular way to deploy malware because it supports multiple configurations based on different Windows versions, all within one package.
The Windows kernel allows loading drivers signed with revoked certificates. The DirtyMoe driver is also signed with revoked certificates that are moreover widely abused in other malware. Motivated by these facts, this article analyzes the mechanism of how Windows manages certificate revocation...
The DirtyMoe malware is a complex malicious backdoor employing various self-protection and anti-forensics mechanisms. One of the more significant safeguards is a rootkit. The next article of the DirtyMoe series explains rootkit functionality in detail.
Three measures of exploits, one of vulnerable drivers, half a measure of Delphi. Shake it very well until it's ice-cold, then add a large thin slice of VMProtect. Got it?