One or more systems are infected by users accessing compromised websites, downloading malware, opening infected email attachments or using storage media containing malware. In some networks a worm can be introduced by users bringing their own devices to work.
The infected system will start scanning the network looking for other systems to infect. Network scanning is where a single host attempts to make connections to other systems on a specific port number. In the case of Morto, this was TCP port 3389 which is used by the Microsoft Windows Remote Desktop Protocol (RDP). If it finds a host listening on this port it then tries a long list of passwords to try and gain access to the system.
Infected machines will then try and connect to external websites and download updates.