Threat Actors are Targeting an Oracle WebLogic Flaw. In an effort to mount a piece of malware called DarkIRC on compromised computers, threat actors are targeting an Oracle WebLogic fault patched last month.
The vulnerability, which was monitored as CVE-2020-14882 and led to code execution, was resolved in the October 2020 Critical Patch Update (CPU). Approximately one week later, the first attacks targeting it were detected and in early November, Oracle released an out-of-band fix to resolve the initial patch’s quick workaround.
There are roughly 3,100 Oracle WebLogic servers that are available from the Internet, according to Juniper Threat Laboratories’ security researchers.
The DarkIRC bot, the researchers note, is just one of the many payloads that adversaries are seeking to drop onto the insecure servers they discover (including Cobalt Attack, Perlbot, Meterpreter, and Mirai).
Currently available for $75 on hacking sites, the DarkIRC bot uses a special algorithm to create command and control (C&C) domains, based on the value sent from a crypto wallet.
HTTP GET requests are sent to compromised WebLogic servers as part of the observed attacks, to execute a PowerShell script which in turn downloads and executes a binary file from a remote server. A 6MB .NET file is the payload.
A packer is used to hide the real motives of the malware and to help deter identification. Anti-analysis and anti-sandbox features are also used in the packer, seeking to identify if it is operating in virtualized environments like VMware, VirtualBox, VBox, QEMU, and Xen.
As a window stealer, keylogger, Bitcoin clipper, and file downloader, the bot, which installs itself as Chrome.exe in the percent APPDATA percent folder and generates an author entry for persistence, may function.
In addition, it is capable of initiating distributed denial of service (DDoS) attacks, executing instructions, and spreading itself like a worm, across the network.
Bot-supported commands cause browser passwords to be stolen, spread via mssql or RDP (brute force), start/stop flood attacks, upgrade the bot, retrieve infected device version or username, fetch and execute (and delete), get IP addresses, spread via USB or SMB, steal Discord tokens, and uninstall itself.
In August, a danger actor going by the name of “Freak OG,” who also posted a FUD (fully undetected) crypto valued at $25 on November 1, advertised the bot. The researchers are, however, unsure if the same person is still behind the attacks.
In October, Oracle patched this flaw, and a subsequent out of period patch was also issued in November to repair a hole in the previous patch. “We recommend that affected systems be immediately patched,” says Juniper Threat Laboratories.