Malware researchers at Check Point have spotted a new Linux backdoor dubbed ‘
The SpeakUp backdoor leverages known vulnerabilities in six different Linux distros, it is also able to infect Mac systems. The Trojan spread by exploiting remote code execution flaw and for the initial infection hackers leverage recently disclosed flaw in ThinkPHP (CVE-2018-20062).
Researchers linked the author of the SpeakUp backdoor with the malware developer that goes online with the moniker of Zettabithf.
Most of the infected machines are in China, the same country where was spotted the sample analyzed by Check Point on January 14, 2019.
“The sample we analyzed was observed targeting a machine in China on January 14,
Once infected the system, the backdoor connects to the command and control (C&C) server to register the machine, it gains by using
The backdoor supports the following commands:
The backdoor uses a python script to scan and infect other Linux servers within internal and external subnets, it is also able to carry out brute-force admin panels.
The script attempts to exploit the following RCE vulnerabilities in the targeted servers:
Further researches made by the experts allowed the experts to find liteHTTP GitHub project that has some modules similar to the SpeakUp Trojan.
“SpeakUp`s obfuscated payloads and propagation technique is beyond any doubt the work of a bigger threat in the making. It is hard to imagine anyone would build such a compound array of payloads just to deploy few miners.” Check Point concludes.
“The threat actor behind this campaign can at any given time deploy additional payloads, potentially more intrusive and offensive,”
(SecurityAffairs – SpeakUp, backdoor)