SpeakUp: a new undetected backdoor Linux trojan
February 2019 by Check Point
Check Point Research has discovered a new campaign exploiting Linux servers to implant a new Backdoor, which currently evades all security vendors’ anti-virus software. The new Trojan, named “SpeakUp” after one of its command and control names, exploits known vulnerabilities in six different Linux distributions. The attack is gaining momentum and targeting servers in East Asia and Latin America, including Amazon Web Services-hosted machines.
SpeakUp acts to propagate internally within the infected subnet, and beyond to new IP ranges, exploiting remote code execution vulnerabilities. In addition, SpeakUp has the ability to infect Mac devices with the undetected backdoor.
At the moment SpeakUp is delivering the XMRig cryptominer to its listening infected servers. According to XMRHunter the wallets hold a total of 107 Monero coins (equivalent to $4,600 USD).
The initial infection vector is targeting the recently reported vulnerability in ThinkPHP (CVE-2018-20062, for uploading a PHP shell) and uses command injection techniques for uploading a PHP shell that serves and executes a Perl backdoor. The sample analyzed by Check Point was observed targeting a machine in China on January 14, 2019 and was first submitted to VirusTotal on January 9 2019. Currently, there are no detections in VirusTotal for the backdoor.
This project was created by a user called zettabithf which is linked to a user with the same name in Hack Forums. The Hack Forums profile may imply the author of SpeakUp backdoor is Russian speaking, as many of the comments are written in this language. He also seems to be a botnet developer, providing recommendations and publishing his LiteHTTP bot, which seems to have a well-designed GUI interface.
According to Check Point’s researchers, SpeakUp`s obfuscated payloads and propagation technique represent a significant threat, beyond deploying basic cryptomining malware. The threat actor behind this campaign can at any given time deploy additional payloads, potentially more intrusive and offensive. It has the ability to scan the surrounding network of an infected server and distribute the malware. This campaign, while still relatively new, can evolve into something bigger and potentially more harmful.