Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Recent Oracle WebLogic Vulnerability Exploited to Deliver DarkIRC Malware

Threat actors are targeting an Oracle WebLogic flaw patched last month in an attempt to install a piece of malware named DarkIRC on vulnerable systems.

Threat actors are targeting an Oracle WebLogic flaw patched last month in an attempt to install a piece of malware named DarkIRC on vulnerable systems.

Tracked as CVE-2020-14882 and leading to code execution, the vulnerability was addressed in the October 2020 Critical Patch Update (CPU). The first attacks targeting it were observed roughly one week after and, in early November, Oracle issued an out-of-band update to address an easy bypass for the initial patch.

According to Juniper Threat Labs’ security researchers, there are approximately 3,100 Oracle WebLogic servers that are accessible from the Internet.

The DarkIRC bot, the researchers say, is only one of the several payloads (including Cobalt Strike, Perlbot, Meterpreter, and Mirai) that adversaries are attempting to drop onto the vulnerable servers they discover.

Currently available on hacking forums for $75, the DarkIRC bot generates command and control (C&C) domains using a unique algorithm, relying on the sent value of a crypto wallet.

As part of the observed attacks, HTTP GET requests are issued to the vulnerable WebLogic servers, to execute a PowerShell script that in turn downloads and executes a binary file from a remote server. The payload is a 6MB .NET file.

A packer is used to conceal the malware’s true intentions and to help avoid detection. The packer also features anti-analysis and anti-sandbox functions, attempting to detect whether it is running in virtualized environments such as VMware, VirtualBox, VBox, QEMU, and Xen.

The bot, which installs itself in the %APPDATA% folder as Chrome.exe and creates an autorun entry for persistency, can act as a browser stealer, keylogger, Bitcoin clipper, and file downloader.

Furthermore, it is capable of launching distributed denial of service (DDoS) attacks, of command execution, and of spreading itself on the network, as a worm.

Commands supported by the bot allow it to steal browser passwords, spread via mssql or RDP (brute force), start/cease flood attacks, update the bot, retrieve version information or username of the infected system, fetch and execute (and remove), get IP address, spread via USB or SMB, steal Discord tokens, and uninstall itself.

In August, the bot was being advertised by a threat actor going by the name of “Freak_OG,” who also posted a FUD (fully undetected) crypter on November 1, priced at $25. However, the researchers are unsure whether the same person is behind the attacks as well.

“This vulnerability was fixed by Oracle in October and a subsequent out of cycle patch was also released in November to fix a hole in the previous patch. We recommend affected systems to patch immediately,” Juniper Threat Labs notes.

Related: Oracle Issues Out-of-Band Update for Critical Vulnerability Exploited in Attacks

Related: Oracle WebLogic Vulnerability Targeted One Week After Patching

Related: Oracle’s October 2020 CPU Contains 402 New Security Patches

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Cybercrime

Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Cybercrime

Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands.