“SpeakUp” Backdoor trojan targeting Linux and Mac
A malware named ‘SpeakUp’ is exploiting the Linux servers and Mac devices in a new crypto-mining campaign.
According to Check Point, Malware insert a backdoor Trojan by exploiting known vulnerabilities in six different Linux distributions. They further said that the crypto-mining campaign is gaining momentum and has targeted more than 70,000 servers worldwide including Amazon AWS hosted machines. With huge number of servers it could be the foundation for a very formidable botnet.
“SpeakUp acts to propagate internally within the infected subnet, and beyond to new IP ranges, exploiting remote code execution vulnerabilities. In addition, SpeakUp presented ability to infect Mac devices with the undetected backdoor.”
While the exact identity of the threat actor behind this new attack is still unconfirmed, Check Point Researchers were able to correlate SpeakUp’s author with malware developer under the name of Zettabit. Although SpeakUp is implemented differently, it has a lot in common with Zettabit’s craftmanship.
The initial infection vector is targeting the recently reported vulnerability (CVE-2018-20062) in ThinkPHP and uses command injection techniques for uploading a PHP shell that serves and executes a Perl backdoor. Researchers detected SpeakUp being used to spread the XMRig crypto-miner to a machine in China, which was reported to VirusTotal on January 9, 2019.
Researchers warned that the malware’s “obfuscated payloads and propagation technique is beyond any doubt the work of a bigger threat in the making. It is hard to imagine anyone would build such a compound array of payloads just to deploy few miners. The threat actor behind this campaign can at any given time deploy additional payloads, potentially more intrusive and offensive.”
According to the report, the malware remains in communication with its command and control (C&C), receiving its next task instructions on what researchers called a “fixed ‘knock’ interval.” Built-in to the malware is a Python script that enables lateral movement on the network. The script also scans the local networks for open ports, forces its way into nearby systems using a list of predefined usernames and passwords and then uses one of seven exploits to take over unpatched systems.
