DarkIRC Botnet Exploiting Oracle WebLogic VulnerabilityResearchers: Malware Offered for Sale for $75
A botnet called DarkIRC is exploiting a severe remote execution vulnerability in Oracle WebLogic for which a patch was issued almost two months ago, Juniper Threat Labs reports. Meanwhile, the malware used to create the botnet is being offered for sale on a darknet hacking forum.
In addition to the DarkIRC botnet, researchers at Juniper Threat Labs are tracking four other malware variants that are trying to take advantage of the WebLogic vulnerability, including a version of the Mirai botnet and a weaponized version of the Cobalt Strike penetration testing tool.
The WebLogic flaw, tracked as CVE-2020-14882, is a remote code execution vulnerability that can be exploited over a network without the need for a username and password. A threat actor would only have to send a malicious HTTP request to the WebLogic Server's management console to initiate the attack, according to a previous update by Oracle.
Oracle and the U.S. Cybersecurity and Infrastructure Security Agency have issued alerts about the importance of applying the patch, which has been available since October (see: CISA and Oracle Warn Over WebLogic Server Vulnerability).
Despite the warnings, about 3,100 WebLogic servers remain vulnerable to CVE-2020-14882, according to Juniper Threat Labs. Using the Shodan search engine, researchers at the consultancy found about 850 unpatched servers in China and another 600 in the U.S.
Paul Kimayong, a threat researcher at Juniper Threat Labs, notes that hackers are increasingly exploiting vulnerabilities in products such as WebLogic and other web application servers for a variety of purposes, including building out a botnet's network.
"Threat actors typically use what is available out there to their advantage," Kimayong says. "For instance, a lot of the attacks we are seeing are using exploits available in public sites like Exploit-db or GitHub. Sometimes it does not matter to them whether the exploit is old or not, as long as there are vulnerable systems that they can attack."
DarkIRC is a multifaceted botnet that can be used as a browser stealer or a keylogger. It can launch distributed denial-of-service attacks, execute commands and download files from infected devices, according to the Juniper Threat Labs report.
The botnet can also act as a bitcoin clipper, changing a copied bitcoin wallet address to the malware operator’s bitcoin wallet address. This essentially allows it to steal bitcoin transactions on the infected system, the report notes.
In the campaign that researchers uncovered, the DarkIRC botnet issues an “HTTP GET” request that targets a vulnerable WebLogic server, which executes a PowerShell script to download and execute a binary file.
Before deploying the final malware, the botnet checks to see if the server is running any virtual environments, including those from VMware, VirtualBox, VBox, QEMU and Xen, the report notes. If any of those are detected, the attack stops. This is part of DarkIRC's anti-sandbox and anti-detection techniques.
If the botnet does not detect these virtual machines, the malware is unpacked and installed in a Chrome file to help maintain persistence. It then deploys an autorun command, according to the report.
Malware for Sale
The malware behind the DarkIRC botnet is being offered for sale on a darknet hacking forum for what appears to be a one-time fee of $75, according to Juniper Threat Lab. A threat actor using the handle "Freak_OG" has been advertising the botnet since August.
The report notes that it's not clear if this threat actor is also conducting the ongoing DarkIRC campaign or if someone who bought or rented the botnet malware is behind these attacks.