A backdoor trojan dubbed “SpeakUp” has been spotted exploiting the Linux servers that run more than 90 percent of the top 1 million domains in the U.S. It uses a complex bag of tricks to infect hosts and to propagate, which analysts say could indicate that it’s poised for a major offensive involving a vast number of infected hosts, potentially worldwide.
According to Check Point research released Monday at the CPX360 event in Las Vegas, SpeakUp (so-named after its command-and-control domain, SpeakUpOmaha[dot]com) is being used in a cryptomining campaign that is gaining momentum and has targeted more than 70,000 servers worldwide so far in what could be the foundation for a very formidable botnet.
SpeakUp targets on-premises servers as well as cloud-based machines, such as those hosted by Amazon Web Services; and, it doesn’t stop at Linux: It also has the ability to infect MacOS devices.
Oded Vanunu, head of products vulnerability research for Check Point, told Threatpost that the scope of this attack includes all servers running ThinkPHP, Hadoop Yarn, Oracle WebLogic, Apache ActiveMQ and Red Hat JBoss. And, he said that since these software can be deployed on virtual servers, all cloud infrastructure are also prone to be affected.
The actual trojan itself can affect all Linux distributions and MacOS.
The IT security researchers at Check Point have identified a new malware called SpeakUp targeting Linux and macOS – The new findings prove that there has been a surge in malware attacks against Linux and Apple devices.
SpeakUp is a new backdoor Trojan that is being distributed by cybercriminals through a malicious new campaign designed to target servers running six different Linux versions and macOS systems.
The malware manages to target multiple previously identified security flaws and can evade antivirus programs effectively.
Check Point researchers noted that the hackers are utilizing the exploit for ThinkPHP (CVE-2018-20062) remote code execution flaw for infecting Linux and macOS servers.
Infection Routine
The initial infection vector starts with targeting a recently reported RCE vulnerability in ThinkPHP (CVE-2018-20062); the code uses command-injection techniques for uploading a PHP shell that serves and executes a Perl backdoor.
The routine is heavily obfuscated: Using a GET request, exploit code is sent to the targeted server.
The resulting uploaded PHP shell then sends another HTTP request to the targeted server, with a standard injection function that pulls the ibus payload and stores it.
The payload execution is then kicked off using an additional HTTP request. That executes the Perl script, puts it to sleep for two seconds and deletes the file to remove any evidence of infection.
After registering the victim machine with the C2, Check Point analysts found that SpeakUp continuously asks for new tasks on a fixed-interval basis of every three seconds.
The C2 can say “no task” – or, it can tell it to execute arbitrary code on the local machine, download and execute a file from any remote server, kill or uninstall the program, or send updated fingerprint data.
“The beauty is that the threat actor has a foothold on any infected server,” Vanunu said.
“Which means he can adapt new future vulnerabilities, and deploy the new code, which will attempt exploit further using new techniques. If the threat actor decides to implement some more infection techniques the number of bots could easily scale up.”
The campaign would be immediately scaled as well, since a threat actor would be able to download a piece of malware to all infected hosts at once.
“The infected hosts are checking the C2 server for new commands every three minutes,” said Vanunu.
“The threat actor [may also be able to] sell the infected hosts to any threat actor and deploy any type of malware to the highest bidder,” he added.
Hackers often prefer backdoor Trojans because this malware can allow them easy access to compromised devices and also let them control the infected devices by establishing a connection with a C&C server.
Usually, such malware help attackers in running campaigns to gain full control of the machine.
While the exact identity of the threat actor behind this new attack is still unconfirmed, Check Point Researchers were able to correlate SpeakUp’s author with malware developer under the name of Zettabit. Although SpeakUp is implemented differently, it has a lot in common with Zettabit’s craftsmanship, said researchers in their blog post.
According to researchers, SpeakUp exploits ThinkPHP, which is a framework that almost 90% of the leading 1M domains in America use.
Furthermore, it can infect Mac machines without getting detected, which is a phenomenal capability.
At the moment, SpeakUp is mainly targeting devices in East Asia, Latin America, and mostly AWS hosted devices are its prime victims. Approx. 70,000 servers across the globe are targeted in this campaign.
Check Point researchers, who identified the campaign around three weeks back, assessed that exploiting the ThinkPHP vulnerability is only the initial attack vector that helps the Trojan infect the device.
Later, the hackers modify the local cron utility to obtain boot persistence, execute files that are downloaded from a remote C&C server, run shell commands, and uninstall or upgrade itself.
Moreover, SpeakUp has a built-in Python script that lets the malware to spread alongside the local network.
The Python script scans local networks to locate open ports as well as brute-forces systems that it identifies in the nearest vicinity.
This is performed using a list of pre-defined login credentials.
It also uses seven different exploits including remote command execution and Oracle WebLogic Server component of Oracle Fusion Middleware, etc., to control unpatched systems.
After infecting new machines the malware deploys itself on the systems.
Apparently, the attackers are using SpeakUp to deploy Monero cryptocurrency miners on infected devices and so far, the group has managed to make 107 Monero coins (around $4,500).
Although currently, the attackers are exploiting the Chinese PHP framework it is also possible that they switch to other exploits to further expand the scope of their backdoor and the range of targets. However, they haven’t yet targeted anything other than ThinkPHP framework.
