The DarkIRC botnet aims to exploit vulnerable Oracle WebLogic servers
Researchers from Juniper Threat Labs have reported up to 5 types of cyberattacks against more than 3000 exposed Oracle WebLogic servers, including a botnet called DarkIRC.
The goal of the cybercriminals is to exploit the vulnerability identified by CVE-2020-14882, already reported by the researcher Voidfyoo from Chaitin Security Research Lab and patched in Oracle critical October 2020 updates.
The botnet in question performs a unique command and control domain (C&C) generation algorithm based on the sent value of a particular cryptographic wallet. DarkIRC is currently being sold on underground forums for $75 USD.
The malware includes capabilities such as: acting as a keylogger, downloading files and executing commands on the infected server, stealing credentials, spreading to other devices via MSSQL and RDP (in both cases by brute force), SMB or USB commands, as well as performing DDoS attacks and stealing bitcoin transactions on the infected system, by implementing a clipper that changes the address of the copied bitcoin portfolio to the address of the malware operator's bitcoin portfolio.
- 01/12/2020 blogs.juniper.net DarkIRC bot exploits recent Oracle WebLogic vulnerability
- 10/11/2020 incibe-cert.es Vulnerabilidad en Oracle WebLogic Server afecta a Sistemas de Control Industrial
- 01/12/2020 bleepingcomputer.com Critical Oracle WebLogic flaw actively exploited by DarkIRC malware
- 01/12/2020 noticiasseguridad.com Falla crítica en oracle weblogic explotada activamente por el malware darkirc
- 03/12/2020 bankinfosecurity.com DarkIRC Botnet Exploiting Oracle WebLogic Vulnerability