Thousands of exposed Oracle WebLogic servers are being actively targeted by threat actors in attempt to exploit the critical CVE-2020-14882 flaw, which allows unauthenticated remote code execution, researchers at Juniper Threat Labs warn.

CVE-2020-14882 can be exploited by unauthenticated attackers to compromise the system by sending a simple HTTP GET request, it impacts Oracle WebLogic Server v10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0. The vulnerability was fixed by Oracle in October this year.

The experts said they found more than 3,000 internet-exposed Oracle WebLogic servers potentially vulnerable to attacks exploiting CVE-2020-14882. The majority of these systems are located in China (849), the United States (599), Iran (370), Germany (133), and India (124).

Juniper Threat Labs detected at least five types of attacks against vulnerable servers, one of which installs a bot called DarkIRC. This bot performs a unique command and control domain generation algorithm that relies on the sent value of a particular crypto wallet. Currently, DarkIRC is being sold on underground forums for $75USD.

While investigating operators behind the botnet the researchers found an account in Hack Forums by the name of “Freak_OG” that advertised DarkIRC back in August 2020. In November, the same account posted a FUD (Fully Undetected) Crypter, selling it for $25USD. The researchers said that the file demonstrated in the post resembled the “Application Name” of payload (WindowsFormsApp2.exe) used in the observed attacks against Oracle WebLogic servers.

However, it is not clear if Freak_OG is the same threat actor behind the recent wave of attacks.

According to the Juniper Threat Labs’ report, the DarkIRC malware is delivered on vulnerable servers using a PowerShell script executed via an HTTP GET request in the form of a malicious binary that comes with both anti-analysis and anti-sandbox capabilities. It checks if it is running in VMware, VirtualBox, VBox, QEMU, or Xen virtual machine and if not the bot installs itself in the %APPDATA%\Chrome\Chrome.exe and creates an autorun entry.

The malware includes multiple capabilities such as keylogging, the ability to download files and execute commands on the infected server, steal credentials, spread to other devices via MSSQL and RDP (brute force), SMB, or USB, as well as perform several versions of DDoS attacks.

DarkIRC also implements the bitcoin clipper, which allows the malware to change the copied bitcoin wallet address to the malware operator’s bitcoin wallet address and steal bitcoin transactions on the infected system.

“Threat actors will always be on the hunt for victims. One of the fastest ways for them to be victimized is to use a zero day exploit and attack the internet, usually via a spray-and-pray technique,” the researchers said.