DarkIRC Malware
The DarkIRC Malware is a publicly sold piece of threatening software, whose author asks for around $75. It seems that an experienced cybercrime group has started using the DarkIRC payload recently, and this campaign targets Oracle WebLogic servers exclusively. Cybersecurity experts believe that the criminals are looking for unpatched servers riddled with old vulnerabilities that can be exploited. However, judging by DarkIRC Malware's features, the criminals also might be relying on a classic brute-force attack to exploit weak login credentials on Oracle WebLogic servers.
The DarkIRC Malware is quite rich in terms of features, and this particular campaign appears to use a variant, which has been obfuscated to hide its true intentions from antivirus software. However, you can rest assured that modern antivirus products are already capable of detecting the DarkIRC Malware's latest iteration and terminating it before it causes any trouble.
DarkIRC Checks for Machine Virtualization Software Before Starting the Attack
When the DarkIRC Malware is first deployed, it will not execute any threatening actions before it makes sure to check for the presence of services, processes, and drivers linked to virtualization software like VMware, VirtualBox, VBox, QUEMU and others. By doing so, it may easily evade systems used for malware analysis.
Once running, the DarkIRC Malware will drop itself in the %APPDATA%\Chrome folder and use the name 'Chrome.exe.' Its operators can make use of the following features:
- Log keystrokes.
- Download and execute files.
- Execute remote commands.
- Run an infostealer.
- Abuse MSSQL and RDP brute-force to spread to other devices.
- USB spreading.
- Distributed-denial-of-service attacks.
- Collecting Bitcoin by hijacking the Windows clipboard.
While the DarkIRC Malware is not a new project, it continues to be improved and used in different campaigns. The latest campaign is certainly one of the larger ones, and it seems to target Oracle WebLogic instances exclusively. Administrators of such systems need to apply the latest updates to their software, as well as to make sure that they use strong login credentials. Last but not least, using an up-to-date anti-malware software suite is mandatory.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.