Researchers spotted a new malware campaign distributing a backdoor trojan named ‘SpeakUp’ which exploits known vulnerabilities in six different Linux software. This malware campaign targets servers in East Asia and Latin America, including AWS hosted machines. Researchers noted that this campaign also manages to evade all antivirus solutions.
Researchers from Check Point suspect a malware author under the name Zettabit to be behind the new campaign as they detected similarities between SpeakUp backdoor trojan and Zettabit’s previous work.
SpeakUp targets Linux servers via ThinkPHP RCE vulnerability
Check Point researchers noted that this malware campaign targets Linux servers using the ThinkPHP remote code execution vulnerability (CVE-2018-20062 ) as an initial infection vector. SpeakUp backdoor leverages this vulnerability and uses command injection techniques to upload a PHP shell that executes a Perl backdoor.
Once the SpeakUp trojan successfully gains a foothold on a Linux server, it will immediately signal its C2server that a newly infected host is online and send registration information to be added to the network of compromised machines the attackers can control remotely. Attackers can use it to gain boot persistence, run shell commands, execute files downloaded from a remote C2 server, etc.
Researchers noted that the second payload was encoded with salted base64 and the communication between the infected server and C2 server was also encoded with salted base64.
Seven Remote Code Execution Vulnerabilities
Researchers also noted that this SpeakUp trojan comes with built-in Python script that the trojan uses for propagation. This Python script allows SpeakUp to scan local networks and infect more Linux servers.
SpeakUp does this by scanning for open ports, attempting brute-force attacks to log in to Admin panels, and exploiting one of seven RCE vulnerabilities such as,
SpeakUp’s victim distribution
Check Point’s ‘SpeakUp victim distribution’ map revealed that SpeakUp victims are primarily located in Asia and South America.
“The infections in non-Chinese countries comes from SpeakUp using its second-stage exploits to infect companies' internal networks, which resulted in the trojan spreading outside the normal geographical area of a Chinese-only PHP framework,” Lotem Finkelstein, a researcher at Check Point told ZDNet.
This campaign has made 107 Monero coins
Researchers reported that the attackers behind this malware campaign have been using the SpeakUp trojan to deploy Monero cryptocurrency miners on infected servers and have made roughly 107 Monero coins which is around $4,500.
“At the moment SpeakUp serves XMRig miners to its listening infected servers. According to XMRHunter, the wallets hold a total of ~107 Monero coins,” Check Point researchers said.
“The threat actor behind this campaign can at any given time deploy additional payloads, potentially more intrusive and offensive. It has the ability to scan the surrounding network of an infected server and distribute the malware. This campaign, while still relatively new, can evolve into something bigger and potentially more harmful,” researchers concluded.