New SpeakUp Backdoor Infects Linux and MacOS

A new malware campaign has been found containing a new Backdoor Trojan called SpeakUp and they are targeting Linux Servers and MacOS by exploiting vulnerabilities in their systems. 

Check Point researchers stated that the malware campaign attacks Linux servers from all over the world using the CVE-2018-20062 ThinkPHP remote code execution vulnerability as an initial infection vector.

To upload a “PHP shell that serves and executes a Perl backdoor” on vulnerable Linux machines, it will employ command injection techniques to send shell commands via a GET request’s “module” parameter:

s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo ^>index.php

Followed by the Trojan injecting a backdoor by pulling the ibus Perl script payload and store it in /tmp/e3ac24a0bcddfacd010a6c10f4a814bc, which will immediately be launched with the help of a follow-up malicious HTTP request designed to execute the Perl-based backdoor, pause for a couple of seconds and delete the file to remove any indication that something is wrong.

The malware was submitted to Check Point on January 14, none of the anti-malware engines available on VirusTotal detect the SpeakUp Trojan.

SpeakUP Fun Actions

SpeakUp can also avoid being removed by a simple restart of the compromised Linux or macOS device and it does that using the cron time-based job scheduler and an internal mutex which makes sure that only one instance of the Trojan is running at all times.

SpeakUp also comes with the ability to scan and infect more vulnerable machines on the local network. 

The Trojan does this by trying to login into Admin panels using brute-force attacks and by employing multiple remote code execution vulnerabilities:

  • CVE-2012-0874: JBoss Enterprise Application Platform Multiple Security Bypass Vulnerabilities.
  • CVE-2010-1871: JBoss Seam Framework remote code execution
  • JBoss AS 3/4/5/6: Remote Command Execution
  • CVE-2017-10271: Oracle WebLogic wls-wsat Component Deserialization RCE
  • CVE-2018-2894: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware.
  • Hadoop YARN ResourceManager – Command Execution
  • CVE-2016-3088: Apache ActiveMQ Fileserver File Upload Remote Code Execution Vulnerability.
author avatar
Patrick Domingues

Leave a Comment

Stay Informed

Receive instant notifications when new content is released.