DarkIRC botnet is targeting the critical Oracle WebLogic CVE-2020-14882

Pierluigi Paganini December 01, 2020

The critical remote code execution (RCE) vulnerability CVE-2020-14882 in Oracle WebLogic is actively exploited by operators behind the DarkIRC botnet.

Experts reported that the DarkIRC botnet is actively targeting thousands of exposed Oracle WebLogic servers in the attempt of exploiting the CVE-2020-14882.

The CVE-2020-14882 can be exploited by unauthenticated attackers to take over the system by sending a simple HTTP GET request.

The vulnerability received a severity rating 9.8 out of 10, it was addressed by Oracle in October Critical Patch Update (CPU).

The vulnerability affects versions of Oracle WebLogic Server are 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.

The flaw was discovered by the security researcher Voidfyoo from Chaitin Security Research Lab

According to Shodan, 2,973 Oracle WebLogic servers exposed online are potentially vulnerable to remote attacks exploiting the above flaw. Most of these systems are in China (829), followed by the United States (526) and Iran (369).

Juniper Threat Labs researchers observed at least five different variants of malicious spayload.

“Juniper Threat Labs is seeing active attacks on Oracle WebLogic software using CVE-2020-14882. This vulnerability, if successfully exploited, allows unauthenticated remote code execution.” states the analysis published by Juniper Threat Labs experts. “As of this writing, we found 3,109 open Oracle WebLogic servers using Shodan. We are seeing at least five different variants of attacks/payload.”

One of the payloads targeting the Oracle WebLogic servers observed by the experts is the DarkIRC malware which is currently being sold on cybercrime forums for 75USD.

Searching for the operators behind this threat, the researchers found an account in Hack Forums that goes online with the name of Freak_OG that is advertising the botnet since August 2020.

DarkIRC botnet is targeting the critical Oracle WebLogic CVE-2020-14882

It is not clear if Freak_OG is the same actor behind the recent wave of attacks.

The attackers sent an HTTP GET request to a vulnerable WebLogic server, which will execute a powershell script to download and execute a binary file hosted in cnc[.]c25e6559668942[.]xyz

DarkIRC authors used a crypter to avoid detection, it includes anti-analysis and anti-sandbox features. The malware also tries to detect if it is running in virtualized environments, such as VMware, VirtualBox, VBox, QEMU, or Xen virtual machine.

“The bot installs itself in the %APPDATA%\Chrome\Chrome.exe and creates an autorun entry. Among its functions include:

  • Browser Stealer
  • Keylogging
  • Bitcoin Clipper
  • DDoS
    • Slowloris
    • RUDY (R-U-DeadYet?)
    • TCP Flood
    • HTTP Flood
    • UDP Flood
    • Syn Flood
  • Worm or spread itself in the network
  • Download Files
  • Execute Commands”

The malware also implements a Bitcoin clipper feature to hijack bitcoin transactions on the infected system by changing the copied bitcoin wallet address to the malware operator’s bitcoin wallet address.

In October, security researchers from SANS Technology Institute set up a collection of honeypots set up allowed the researchers to catch a series of attacks shortly after the exploit code for CVE-2020-14882 was publicly available.

In early November, at least one ransomware operator appears to have exploited the CVE-2020-14882 vulnerability affecting Oracle WebLogic.

CISA also urged administrators to apply the security update to secure their servers.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment