News

DarkIRC malware actively exploits critical bug in Oracle WebLogic

According to a report from Juniper Threat Labs analysts based on Shodan data, almost 3,000 Oracle WebLogic servers are accessible via the Internet and cybercriminals are actively using DarkIRC malware to attack them.

These servers allow unauthenticated attackers to execute arbitrary code remotely. The fact is that all of them are still vulnerable to the RCE bug CVE-2020-14882, which was fixed two months ago.

Hackers, of course, could not ignore this opportunity and attacked WebLogic servers using at least five different payloads. But Juniper Threat Labs experts write that the most interesting in this case is the DarkIRC malware, “which is currently sold on hack forums for $75.”

The attacker with the pseudonym Freak_OG began advertising and distributing DarkIRC in August 2020. Researchers have not revealed whether this attacker is behind the ongoing DarkICE attacks, although the filename in one of the recently discovered paylods is very similar to the filename in the FUD (Fully Undetected) Crypter, which was also recently advertised by Freak_OG.

“We are not sure if the operator who attacked our bait is the same person who advertises this malware on the Hack Forum, or one of his clients”, — the researchers say.

Analysts say that DarkIRC infiltrates unpatched servers using a PowerShell script executed via an HTTP GET request in the form of a malicious binary that has both analysis bypass and sandbox functionality.

For example, before unpacking, the malware checks whether it is running on a VMware, VirtualBox, VBox, QEMU, or Xen virtual machine, and stops the infection process if it detects a sandboxed environment.

After unpacking, the DarkIRC bot will be installed in% APPDATA%\Chrome\Chrome.exe and will be fixed on the jailbroken device, registering in autorun.

“DarkIRC has many features, including keylogging, stealing files and executing commands on an infected server, stealing credentials, distributing to other devices via MSSQL and RDP (brute-force), SMB or USB, and organizing DDoS attacks”, — experts say.

Attackers can even use the bot as a bitcoin clipper, which allows real-time substitution of bitcoin wallet addresses on the clipboard for addresses controlled by hackers.

DarkIRC Malware and Oracle WebLogic

Let me remind you that Stantinko malware is now masked as the Apache web server.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *

Sending

Back to top button