ThreatIT: Almost 3,000 Oracle WebLogic servers are accessible over the Internet and still allow unauthenticated attackers to remotely execute arbitrary code, according to a Juniper Threat Labs analyst report based on Shodan data. The fact is that all of them are still vulnerable to the CVE-2020-14882 RCE bug, which was fixed two months ago.
Hackers, of course, could not ignore this possibility and attack WebLogic servers using at least five different payloads. But Juniper Threat Labs experts write that the most interesting in this case is the DarkIRC malware, “which is currently sold on hack forums for $ 75.”
The attacker distributing DarkIRC bears the pseudonym Freak_OG and began advertising his malware in August 2020. Researchers have not revealed whether this attacker is behind the ongoing DarkICE attacks, although the filename in one of the recently discovered paylods is very similar to the filename in the FUD (Fully Undetected) Crypter, which was also recently advertised by Freak_OG.
“We are not sure if the operator who attacked our bait is the same person who advertises this malware on the Hack Forum, or one of his clients,” the researchers say.
Analysts say that DarkIRC infiltrates unpatched servers using a PowerShell script executed via an HTTP GET request in the form of a malicious binary that has both analysis bypass and sandbox functionality. For example, before unpacking, the malware checks whether it is running on a VMware, VirtualBox, VBox, QEMU, or Xen virtual machine, and stops the infection process if it detects a sandboxed environment.
After unpacking, the DarkIRC bot will be installed in% APPDATA% \ Chrome \ Chrome.exe and will be fixed on the jailbroken device, registering in autorun.
Experts note that DarkIRC has many functions, including keylogging, stealing files and executing commands on an infected server, stealing credentials, spreading to other devices via MSSQL and RDP (via brute force), SMB or USB, and organizing DDoS attacks.
Attackers can even use the bot as a bitcoin clipper, which allows real-time substitution of bitcoin wallet addresses on the clipboard for addresses controlled by hackers.