A Remote Code Execution vulnerability, in the Oracle WebLogic Server, was recently discovered. The Oracle WebLogic vulnerability was due to the Oracle Fusion Middleware console component, according to Juniper Threat labs, almost 3000 Oracle WebLogic servers are reachable over the internet, based on Shodan statistics. Attackers are targeting potentially vulnerable WebLogic servers using at least five different payloads, one of which is the DarkIRC botnet Malware, selling for $75. It’s unclear if this is the same threat actor behind the ongoing attacks.
DarkIRC is delivered on unpatched servers via a PowerShell script, executed via an HTTP GET request as a malicious binary that comes with anti-analysis and anti-sandbox capabilities. Once unpacked, it will install itself in the %APPDATA%\Chrome\Chrome.exe directory. It creates a backdoor on the compromised device by creating an autorun entry. DarkIRC can perform several malicious actions including downloading files, keylogging, execution commands on the server, credential theft, spreading to other devices via MSSQL and RDP (through brute force attacks), SMB or USB. It can also launch several DDoS attacks. Interestingly, it can also be used as a Bitcoin clipper that allows them to change bitcoin wallet addresses copied to the clipboard to one controlled by its operators in real-time.
Oracle released a patch two months ago for this flaw. An immediate upgrade is recommended to avoid this vulnerability or compromise from Malware.
Source: Juniper Networks