Linux servers targeted by SpeakUp backdoor that installs miners

The new malware strain abuses remote code execution vulnerabilities and avoids detection

Researchers discovered a new malware strain dubbed SpeakUp which targets mainly Chinese Linux servers and macOS machines and injects cryptominer to mine Monero

The new malware campaign, dubbed SpeakUp, was spotted by Check Point security researchers^[1] on Monday. A sophisticated threat uses a set of well-known vulnerabilities that exploit six different Linux distributions, as well as macOS, and avoids detection by all anti-virus engines.

Experts say that the backdoor is mainly targeting East Asian and Latin American countries and also affects AWS (Amazon Web Services) devices. So far, researchers concluded that the malware affected around 70,000 servers worldwide which can be a basis for a powerful botnet^[2]

Hackers behind the campaign are using SpeakUp to deploy Monero mining software XMRig^[3] which already earned them 107 coins, which is equivalent to $4,500 currently. While it is still unknown who is responsible for the attack, the analysis was able to find connections to Russian threat actor under the name Zettabit:^[1]

While the exact identity of the threat actor behind this new attack is still unconfirmed, Check Point Researchers were able to correlate SpeakUp’s author with malware developer under the name of Zettabit. Although SpeakUp is implemented differently, it has a lot in common with Zettabit’s craftmanship.

SpeakUp malware capabilities

SpeakUp is installed with the help of ThinkPHP vulnerability (CVE-2018-20062)^[4] and uses command infection techniques to execute Perl backdoor, and the entire infection process is highly obfuscated. The trojan then spreads within the networks by using built-in Python script, which primary function is using brute-force attacks.

Malware is programmed to scan internal and external networks and exploit vulnerabilities like Hadoop YARN ResourceManager,^[5] Oracle WebLogic, JBoss Seam Framework, JBoss AS 3/4/5/6 RCE and Apache ActiveMQ Fileserver File Upload RCE.

The malicious payload is capable of running shell commands, downloading and installing files from a Command & Control server which is encoded with salted base64, as well as update or uninstall itself. The C2 server is contacted every three seconds to ask for a new task to perform and currently can run three commands:

• notask – the code does not perform any tasks within 3 seconds and waits;
• newtask – execute arbitrary code, download and install new files, uninstall or update the program, and send out the fingerprint data;
• newerconfig – send out new instructions to the miner module.

While the server can send the “no task” command, in other cases malware can be programmed to perform various tasks on the machine. This functionality allows the threat actors to adapt and send out a new code at any time, as well as exploit new vulnerabilities. Ultimately, malware is engineered to give hackers as much control as possible, which can lead to complete control of the machine.

Researchers warn: the threat might be more dangerous than one might think

Due to its sophisticated functionality, infection and propagation techniques, experts think that the campaign was launched having something much bigger in mind. Deploying a few miners might be just a tip of the iceberg, and it is highly likely that bad actors developed the payload to infected thousands of machines with something much more sinister:

SpeakUp`s obfuscated payloads and propagation technique is beyond any doubt the work of a bigger threat in the making. It is hard to imagine anyone would build such a compound array of payloads just to deploy few miners. The threat actor behind this campaign can at any given time deploy additional payloads, potentially more intrusive and offensive. It has the ability to scan the surrounding network of an infected server and distribute the malware. This campaign, while still relatively new, can evolve into something bigger and potentially more harmful.

Because this new campaign is expanding rapidly and already infected a variety of countries, experts predict that the next target will most likely to be the US. Thankfully, anti-virus engines are starting to detect the threat under names like Linux/Agent.FI, Trojan.Linux.Agent, PUA:Win32/Presenoker, Linux.SpeakUp, etc.^[6]