DarkIRC Malware

DarkIRC Malware is a threat that is being offered for sale on underground hacker forums. The purported creator of this malware and the one who has been advertising it since August 2020 uses the account name Freak_OG. According to the posts, DarkIRC is available for purchase for $75. While it has not been determined if it is run by the creator of the threat or a potential client, an attack campaign delivering DarkIRC has been detected by infosec researchers. The main targets of the threatening campaign are exposed Oracle WebLogic servers who have not been patched for the CVE-2020-1482 remote code execution (RCE) vulnerability despite the patch addressing the issue that was released by Oracle in October 2020. This particular vulnerability is extremely severe as it is exploitable without the need for any authentication, including usernames or passwords.

The DarkIRC Malware Possesses a Wide Range of Threatening Functions

If an unpatched Oracle WebLogic server is detected, DarkIRC will be delivered on it through an HTTP GET request. The corrupted binary dropped on the system is equipped with countermeasures against potential analysis or being run in a sandbox environment - it terminates its execution if it detects a VMware, VBox, QEMU, VirtualBox or Xen virtual machine.

The next of its attack process is to install itself in %APDATA%\Chrome/Chrome.exe and then to establish its persistence mechanism via the creation of an autorun entry. Now, DarkIRC can proceed to perform its multitude of threatening activities. The threat has a wide array of available functions as it can download additional files, execute arbitrary commands, harvest credentials, initiate keylogging, and conduct DDoS (Distributed Denial of Service) attacks. DarkIRC is capable of propagating itself to other systems and devices through several different methods:

• Brute-force RDP attacks
• MSSQL
• SMB
• USB

If the threat actors choose to, they also can leverage DarkIRC to act as a Bitcoin clipper. What this entails is that the threat will, in real-time, substitute any Bitcoin wallet address that has been copied to the clipboard with one of the hackers resulting in the victims unknowingly sending their funds away to the wrong recipient.