Multiple botnets exploit through remote code execution vulnerability in Oracle WebLogic Server.
Oracle WebLogic Server:
Oracle WebLogic is a platform for developing, deploying, and running enterprise Java applications in any cloud environment as well as on-premises.
Recently, a new patch released for the vulnerability flaw against Honeypots – CVE-2020-14882.
Oracle Security Alert — CVE-2020-14750
A remote code execution vulnerability in Oracle WebLogic Server, which steals sensitive information’s from affected systems.
Importantly, This vulnerability is related to CVE-2020-14882, which was addressed in the October 2020 Critical Patch Update.
As of writing, about 3,000 Oracle WebLogic servers are accessible on the Internet-based on stats from the Shodan search engine.
Base Score 9.8/10
Oracle WebLogic Server — versions:
DarkIRC — This bot performs a unique command and control domain generation algorithm that relies on the sent value of a particular crypto wallet.
Notably, This bot is currently being sold on hack forums for $75USD.
The bot installs itself in the %APPDATA%\Chrome\Chrome.exe and creates an autorun entry. Among its functions include:
- Browser Stealer
- Bitcoin Clipper
- RUDY (R-U-DeadYet?)
- TCP Flood
- HTTP Flood
- UDP Flood
- Syn Flood
- Worm or spread itself in the network
- Download Files
- Execute Commands
Moreover, The malware also acts as a Bitcoin clipper that allows them to change bitcoin wallet addresses copied to the clipboard to the operator’s bitcoin wallet address, allowing the attackers to reroute Bitcoin transactions.
On the other hand, vulnerable servers instances a lucrative target for threat actors to recruit these servers into a botnet that pilfers critical data and deploy second stage malware payloads.
Therefore, Unpatched Oracle WebLogic servers to deploy crypto miners and steal sensitive information from infected systems.
It’s recommended that users apply the October 2020 Critical Patch Update and the updates associated with CVE-2020-14750.
Indicators Of Compromise: