Researchers have discovered a new Trojan campaign that creates a Linux backdoor. Referred to as SpeakUp, the backdoor malware exploits multiple vulnerabilities in different distros. The malware campaign not only targets on-premise Linux servers globally but also affects AWS hosted machines. Moreover, it can also infect Mac devices
Linux Backdoor SpeakUp Discovered
Check Point Research has unveiled an ongoing malware campaign that creates a Linux backdoor in their blog. The campaign infects the target devices with the SpeakUp Trojan that exploits known remote code execution vulnerabilities in six Linux distributions.
The malware primarily begins by exploiting the recently discovered ThinkPHP vulnerability (CVE-2018-20062) to upload a PHP shell that serves and launches the Perl backdoor. After execution, the Perl script is put to sleep followed by file deletion to remove any pieces of evidence of infection. The victim’s device gets registered with the C&C to proceed with second stage payload. According to Check Point, the attackers have encoded the backdoor and the C&C communication with salted base64 to evade detection.
After device registration, the Trojan will periodically contact the C&C to receive commands. The C&C may respond in one of the three ways; either “newtask” that includes downloading and executing any file from the remote server or performing any program modifications, “notask” to put the Trojan to sleep for 3 seconds, or “newerconfig” to update the miner config file.
While SpeakUp can manipulate the infected machines in any possible way, it presently serves the XMRig miners to mine Monero. As stated by Check Point,
“At the moment SpeakUp serves XMRig miners to its listening infected servers. According to XMRHunter the wallets hold a total of ~107 Monero coins.”
Propagation And Attacker Identification
For propagating over a network, SpeakUp lets the backdoor scan and infect vulnerable Linux servers by first brute-forcing passwords to access admin panels, scanning for the availability of specific ports, and exploiting these known RCE vulnerabilities.
- CVE-2010-1871: JBoss Seam Framework remote code execution
- CVE-2012-0874: JBoss Enterprise Application Platform Multiple Security Bypass Vulnerabilities
- JBoss AS 3/4/5/6: Remote Command Execution
- CVE-2016-3088: Apache ActiveMQ Fileserver File Upload Remote Code Execution Vulnerability
- CVE-2017-10271: Oracle WebLogic wls-wsat Component Deserialization RCE
- CVE-2018-2894: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware.
- Hadoop YARN ResourceManager – Command Execution
Successful exploitation of these flaws leads to the deployment of ibus script on the target server. Tracing this script and the unique User-Agents responsible for communications between C&C and SpeakUp facilitated Check Point to identify the author behind this campaign. They link back to zettabithf, a user on HackForums linked with Zettabit malware.
Protecting Servers Against SpeakUp
Check Point clearly states that the present campaign hints to a bigger threat coming up. The threat actor may possibly deploy additional payloads as well at any time.
“This campaign, while still relatively new, can evolve into something bigger and potentially more harmful.”
Therefore, at present, it is imperative to be wary of any known vulnerabilities in the infrastructure, particularly the ones exploited in this campaign, to evade such attacks.
