The DarkIRC botnet aims to exploit vulnerable Oracle WebLogic servers

Researchers from Juniper Threat Labs have reported up to 5 types of cyberattacks against more than 3000 exposed Oracle WebLogic servers, including a botnet called DarkIRC.

The goal of the cybercriminals is to exploit the vulnerability identified by CVE-2020-14882, already reported by the researcher Voidfyoo from Chaitin Security Research Lab and patched in Oracle critical October 2020 updates.

The botnet in question performs a unique command and control domain (C&C) generation algorithm based on the sent value of a particular cryptographic wallet. DarkIRC is currently being sold on underground forums for $75 USD.

The malware includes capabilities such as: acting as a keylogger, downloading files and executing commands on the infected server, stealing credentials, spreading to other devices via MSSQL and RDP (in both cases by brute force), SMB or USB commands, as well as performing DDoS attacks and stealing bitcoin transactions on the infected system, by implementing a clipper that changes the address of the copied bitcoin portfolio to the address of the malware operator's bitcoin portfolio.