Over a million developers have joined DZone.

SpeakUp: a New Linux Backdoor Trojan Targeting the ThinkPHP Ecosystem

DZone 's Guide to

SpeakUp: a New Linux Backdoor Trojan Targeting the ThinkPHP Ecosystem

Check out the latest Linux backdoor trojan targeting the ThinkPHP ecosystem.

· Security Zone ·
Free Resource

A Trojan backdoor called "SpeakUp "exploits Linux servers that run more than 90 percent of the top 1 million domains in the United States. It uses tricky methods to infect and spread into the hosts. Security experts say that it is ready for a major offensive involving a large number of infected hosts.

According to Check Point research, SpeakUp is used in a cryptomining campaign with more than 70,000 servers worldwide. SpeakUp targets on-site servers and cloud-based machines, such as Amazon Web Services, and does not stop on Linux: it can also infect MacOS devices.

The initial infection vector starts with a recently reported ThinkPHP RCE vulnerability (CVE-2018- 20062), which uses command injection techniques to upload a PHP shell that serves and runs a Perl backdoor.

The routine is highly obscured: exploit code is sent to the target server via a GET request. The resulting uploaded PHP shell then sends the target server another HTTP request with a standard injection function, which pulls and saves the ibus payload.

The payload execution is then started with an additional HTTP request, which executes the Perl script, sleeps for two seconds, and deletes the file to remove any evidence of infection. After registering the victim with the C2, checkpoint analysts found that SpeakUp continually requests new tasks at a fixed interval every three seconds.

The C2 can say "no task" or execute arbitrary code on your local machine, download and run a file from any remote server, kill or uninstall the program, or send updated fingerprint data.

SpeakUp also comes with a handy Python propagation script; its main functions are brute administrative panels using a predefined list of usernames and passwords, and scanning the infected machine's network environment.

It monitors the availability of specific ports on servers that share the same internal and external subnet masks for the latter function. The idea is to scan and infect more vulnerable Linux servers with a whole bag of exploits on their internal and external subnetworks.

CVE-2012-0874: JBoss Enterprise Application Platform
CVE-2010-1871: JBoss Seam Framework remote code execution
JBoss AS 3/4/5/6: Remote Command Execution
CVE-2017-10271: Oracle WebLogic wls-wsat Component Deserialization
RCE CVE-2018-2894: Vulnerability in the Oracle WebLogic Server component of Oracle Hadoop YARN ResourceManager
CVE-2016-3088 Command Execution: Apache ActiveMQ File Server Upload Remote Code Vulnerability Execution.

“According to research, SpeakUp now serves XMRig miners on its infected servers," XMRHunter reports that "the wallets hold a total of ~107 Monero coins."

The authors of SpeakUp, however, have the ability to download any code they want to serve. Checkpoint analysts said the mining code could be a kind of beta test before a larger malware drop in the future.

"SpeakUp's obscure payload and propagation technique is undoubtedly the work of a greater threat manufacturing," according to the analysis. "It is difficult to imagine anyone building such a composite range of payloads just to deploy a few miners."

The actor behind this campaign can also deploy additional payloads, which could be more intrusive and offensive. It has the ability to scan the surrounding network of an infected server and distribute malware.

SpeakUp Malware Detections

SpeakUp does not have VirusTotal detections. The first victims are in East Asia and Latin America, but scientists believe it is the United States — if not the rest of the world, the next goal could be.

malware detection ,linux os ,mac os x ,trojan ,cryptomining ,vulnerabilites ,backdoor ,linux servers ,security ,linux

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}