The SpeakUp Linux Trojan is one of the most dangerous threats in the last weeks as it is categorized as a silent backdoor Trojan. It is able to successfully evade active security solutions and the confirmed campaigns indicate that it it is directed against vulnerabilities in popular distributions. At the moment the attacks concentrate mainly against servers in Latin America, East Asia and include AWS instances as well.
The Speakup Linux Trojan Threat — What We Know About the Ongoing Attacks
The main method through which infections are made is a bug in ThinkkPHP which is tracked in the CVE-2018-20062 advisory which reads the following:
An issue was discovered in NoneCms V1.3. thinkphp/library/think/App.php allows remote attackers to execute arbitrary PHP code via crafted use of the filter parameter, as demonstrated by the s=index/\think\Request/input&filter=phpinfo&data=1 query string.
If a vulnerable service is done the SpeakUp Linux Trojan will run a crafted network request which will lead to the successful infection. A distinct characteristic is the execution of a Python based script which can scan the reachable machines on the local network. This is done in order to look for specific vulnerabilities — the malware code will attempt to infect them by attempting to trigger remote code execution bugs. The current campaign targets the following vulnerabilities:
- CVE-2012-0874 — JBoss Enterprise Application Platform Multiple Security Bypass Vulnerabilities
- CVE-2010-1871 — JBoss Seam Framework remote code execution
- JBoss AS 3/4/5/6 — Remote Command Execution
- CVE-2017-10271 — Oracle WebLogic wls-wsat Component Deserialization RCE
- CVE-2018-2894 — Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware
- Hadoop YARN ResourceManager — Command Execution
- CVE-2016-3088 — Apache ActiveMQ Fileserver File Upload Remote Code Execution Vulnerability
We have received confirmation that the current attacks are set against machines located in East Asia and Latin America. The researchers have also uncovered that AWS hosted services have also been affected. What’s more dangerous is that due to the fact that the code is written using proper code it can also infect Mac machines.
The SpeakUp Linux Trojan Infection Capabilities and Observed Behavior
As soon as a successful infiltration attempt has been made the malicious script will pull an ibus payload which is to be injected in the “tmp” location. From there on the actual backdoor will be run. It is programmed to retrieve a Perl script from a remote server and run it after a two second delay. The original file will be removed in order to make it impossible to find out the evidence and route of infection. This second-stage payload will perform its intended functions using encoded memory — this is done in order to make it impossible for analysis to be done without decoding the stream in real-time.
Effectively a security bypass is enforced on the victim computers — the virus installation is delayed which goes around the typical heuristics scan done by antivirus programs. Additionally as the memory operations are encoded the security software may not be able to read the processes and identify that a threat is present. Effectively this can strategy can be used to remove the engines or the applications altogether. The list of programs that are to be affected include anti-virus programs, firewalls, intrusion detection systems, virtual machine hosts and sandbox environments.
The main goal of the SpeakUp Linux Trojan is to establish a secure connection to a hacker-controlled server. It essentially allows the criminals to execute commands, many of which are built into the engine. All they need is to simply pass on the required argument to the local service. The analysis shows that the communication is done at regular intervals which are labeled as “knocks”. The SpeakUp Linux Trojan will ensure that only a single instance is running at a time by specifying an internal mutex signature. Several of the commands that are available to the hacker operators have been captured via network analysis:
- newtask — This command will run a hacker-uploaded code or file on the infected machine. It is also used to instruct the hosts into downloading and running a file from a remote service. Other possible tasks include the killing of running processes or uninstalling them. An up-to-date status report can also be requested from the machines.
- notask — This will sleep the local SpeakUp Linux Trojan instance and follow-up the server for the startup of additional commands.
- newerconfig — This will update the configuration file.
It appears that one of the main goals is to deploy a cryptocurrency miner. This is a trend in the last few years wherein these small-sized applications will take advantage of the hardware resources by executing intensive tasks. They will place a heavy load on the CPU, GPU, memory and hard disk space. Whenever one of them is complete the hacker operators will receive digital currency that will be directly wired to their wallets.
We remind our readers that this information merely the represents the current version and activities of the virus samples as configured in the present. It is possible that the future versions will have a very different behavior pattern.
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: