speakup linux backdoor sets up for major attack

Posted by millikan at 2020-03-27

According to Check Point research released Monday at the CPX360 event in Las Vegas, SpeakUp (so-named after its command-and-control domain, SpeakUpOmaha[dot]com) is being used in a cryptomining campaign that is gaining momentum and has targeted more than 70,000 servers worldwide so far in what could be the foundation for a very formidable botnet. Oded Vanunu, head of products vulnerability research for Check Point, told Threatpost that the scope of this attack includes all servers running ThinkPHP, Hadoop Yarn, Oracle WebLogic, Apache ActiveMQ and Red Hat JBoss. And, he said that since these software can be deployed on virtual servers, all cloud infrastructure are also prone to be affected. The actual trojan itself can affect all Linux distributions and MacOS. Infection Routine The initial infection vector starts with targeting a recently reported RCE vulnerability in ThinkPHP (CVE-2018-20062); the code uses command-injection techniques for uploading a PHP shell that serves and executes a Perl backdoor. After registering the victim machine with the C2, Check Point analysts found that SpeakUp continuously asks for new tasks on a fixed-interval basis of every three seconds. The C2 can say “no task” – or, it can tell it to execute arbitrary code on the local machine, download and execute a file from any remote server, kill or uninstall the program, or send updated fingerprint data. The campaign would be immediately scaled as well, since a threat actor would be able to download a piece of malware to all infected hosts at once. “The infected hosts are checking the C2 server for new commands every three minutes,” said Vanunu. “The threat actor [may also be able to] sell the infected hosts to any threat actor and deploy any type of malware to the highest bidder,” he added. Highly Sophisticated Propagation SpeakUp’s daily infection rate (click to enlarge) A Bigger Threat in the Making? “At the moment SpeakUp serves XMRig miners to its listening infected servers,” according to the research. According to XMRHunter, the wallets hold a total of around 107 Monero coins right now, which is small potatoes in the grand scheme of things. SpeakUp has no detections in VirusTotal. The initial victims have in Eastern Asia and Latin America, but researchers believe that the U.S. could be the next target, if not the rest of the world. Given the impressive propagation tactics, a non-existent detection rate on VirusTotal, and the fact that the threat surface contains servers that run the top sites on the internet, SpeakUp could end up being a very big deal, researchers said: “This campaign, while still relatively new, can evolve into something bigger and potentially more harmful…[and] at the time of writing this article, it has no detections in VirusTotal.” Attribution “Although SpeakUp is implemented differently [than Zettabit’s other code], it has a lot in common with Zettabit’s craftmanship,” according to the analysis. In terms of what links Zettabit to this malware, “we’ve read all of his Hack Forums posts and Github projects, so this avatar definitely knows his way around botnets,” Vanunu told Threatpost. “He even released a free example of botnet code for anyone to use. And while researching, we’ve identified two unique strings that were mentioned and used by Zettabit himself a couple of time in the past.” This story was updated at 2:23 p.m. ET on February 4 to reflect additional details from the researchers.