According to a report from Juniper Threat Labs analysts based on Shodan data, almost 3,000 Oracle WebLogic servers are accessible via the Internet and cybercriminals are actively using DarkIRC malware to attack them.
These servers allow unauthenticated attackers to execute arbitrary code remotely. The fact is that all of them are still vulnerable to the RCE bug CVE-2020-14882, which was fixed two months ago.
Hackers, of course, could not ignore this opportunity and attacked WebLogic servers using at least five different payloads. But Juniper Threat Labs experts write that the most interesting in this case is the DarkIRC malware, “which is currently sold on hack forums for $75.”
The attacker with the pseudonym Freak_OG began advertising and distributing DarkIRC in August 2020. Researchers have not revealed whether this attacker is behind the ongoing DarkICE attacks, although the filename in one of the recently discovered paylods is very similar to the filename in the FUD (Fully Undetected) Crypter, which was also recently advertised by Freak_OG.
“We are not sure if the operator who attacked our bait is the same person who advertises this malware on the Hack Forum, or one of his clients”, — the researchers say.
Analysts say that DarkIRC infiltrates unpatched servers using a PowerShell script executed via an HTTP GET request in the form of a malicious binary that has both analysis bypass and sandbox functionality.
For example, before unpacking, the malware checks whether it is running on a VMware, VirtualBox, VBox, QEMU, or Xen virtual machine, and stops the infection process if it detects a sandboxed environment.
After unpacking, the DarkIRC bot will be installed in% APPDATA%\Chrome\Chrome.exe and will be fixed on the jailbroken device, registering in autorun.
“DarkIRC has many features, including keylogging, stealing files and executing commands on an infected server, stealing credentials, distributing to other devices via MSSQL and RDP (brute-force), SMB or USB, and organizing DDoS attacks”, — experts say.
Attackers can even use the bot as a bitcoin clipper, which allows real-time substitution of bitcoin wallet addresses on the clipboard for addresses controlled by hackers.
Let me remind you that Stantinko malware is now masked as the Apache web server.