SpeakUp is a backdoor Trojan which originally affects Linux distributions and MacOS systems. However, the scope of SpeakUp attack includes any server running ThinkPHP, Hadoop Yarn, Oracle WebLogic and Apache ActiveMQ. It has been named after its command-and-control domain ‘SpeakUpOmaha[dot]com’. SpeakUp exploits remote code execution vulnerabilities to propagate internally within the infected subnet and across new IP ranges. It downloads miners in the infected systems for unauthorized cryptomining.

Mode Of Infection: For introducing the infection vector, SpeakUp takes advantage of the CVE-2018-20062 vulnerability of ThinkPHP. It is a remote command execution vulnerability.

  • The hackers use GET request to send malicious code to the target server. It acts as a PHP shell that executes commands sent by the module parameter in a query.
  • Another HTTP request is sent to the target server to serve as Perl backdoor. It is a standard injection which pulls the Intelligent Input Bus (ibus) payload and stores it on a different location.
  • An additional HTTP request is then sent for launching the backdoor. This request executes the Perl script and deletes the files for eradicating evidence.

Registering A New Victim: On victimizing a server, SpeakUp communicates with its command-and-control domain via POST and GET requests. It uses POST request over HTTP to send the victim ID, current version of installed script and other information to the C&C domain. The domain sends “needrgr” response to the request indicating that it is a new victim & requires registration. The Trojan then forwards complete information of the victim system by running a series of Linux commands.

Functions And Tasks: After registering the victim, the Trojan communicates with its C&C domain at regular intervals known as ‘Knock Interval’ which is 3 seconds. C&C domain commonly uses following commands:

  • “newtask”: It commands the Trojan to execute a code, download & execute a file, uninstall the program and send updated information.
  • “notask”: The command indicates that the Trojan should sleep for ‘Knock Interval’ of 3 seconds and then request for a new task.
  • “newerconfig”: This command indicates the Trojan to update the miner configuration file.

The Trojan defines 3 User-Agents. A User-Agent is a Python library that provides a way to detect devices such as mobile, tablet or a PC. The User-Agents defined by SpeakUp include two MacOS X User-Agents and a hashed string.
Propagation: For further propagation, SpeakUp is loaded with an additional Python script which allows the Trojan to identify, scan and infect other Linux servers within internal & external subnets.

For more information on malware threats and to know how to secure your IT system, call Centex Technologies at (254) 213-4740.