LAS VEGAS — A backdoor trojan dubbed “SpeakUp” has been spotted exploiting the Linux servers that run more than 90 percent of the top 1 million domains in the U.S. It uses a complex bag of tricks to infect hosts and to propagate, which analysts say could indicate that it’s poised for a major offensive involving a vast number of infected hosts, potentially worldwide.
According to Check Point research released Monday at the CPX360 event in Las Vegas, SpeakUp (so-named after its command-and-control domain, SpeakUpOmaha[dot]com) is being used in a cryptomining campaign that is gaining momentum and has targeted more than 70,000 servers worldwide so far in what could be the foundation for a very formidable botnet.
SpeakUp targets on-premises servers as well as cloud-based machines, such as those hosted by Amazon Web Services; and, it doesn’t stop at Linux: It also has the ability to infect MacOS devices.
Oded Vanunu, head of products vulnerability research for Check Point, told Threatpost that the scope of this attack includes all servers running ThinkPHP, Hadoop Yarn, Oracle WebLogic, Apache ActiveMQ and Red Hat JBoss. And, he said that since these software can be deployed on virtual servers, all cloud infrastructure are also prone to be affected.
The actual trojan itself can affect all Linux distributions and MacOS.
Infection Routine
The initial infection vector starts with targeting a recently reported RCE vulnerability in ThinkPHP (CVE-2018-20062); the code uses command-injection techniques for uploading a PHP shell that serves and executes a Perl backdoor.
The routine is heavily obfuscated: Using a GET request, exploit code is sent to the targeted server. The resulting uploaded PHP shell then sends another HTTP request to the targeted server, with a standard injection function that pulls the ibus payload and stores it. The payload execution is then kicked off using an additional HTTP request. That executes the Perl script, puts it to sleep for two seconds and deletes the file to remove any evidence of infection.
After registering the victim machine with the C2, Check Point analysts found that SpeakUp continuously asks for new tasks on a fixed-interval basis of every three seconds. The C2 can say “no task” – or, it can tell it to execute arbitrary code on the local machine, download and execute a file from any remote server, kill or uninstall the program, or send updated fingerprint data.
“The beauty is that the threat actor has a foothold on any infected server,” Vanunu said. “Which means he can adapt new future vulnerabilities, and deploy the new code, which will attempt exploit further using new techniques. If the threat actor decides to implement some more infection techniques the number of bots could easily scale up.”
The campaign would be immediately scaled as well, since a threat actor would be able to download a piece of malware to all infected hosts at once.
“The infected hosts are checking the C2 server for new commands every three minutes,” said Vanunu.
“The threat actor [may also be able to] sell the infected hosts to any threat actor and deploy any type of malware to the highest bidder,” he added.
Highly Sophisticated Propagation
SpeakUp also comes equipped with a handy propagation script written in Python; its main functions are brute-forcing administrative panels using a pre-defined list of usernames and passwords; and scanning the network environment of the infected machine. For the latter function, it checks for availability of specific ports on servers that share the same internal and external subnet mask. The idea is to scan and infect more vulnerable Linux servers within its internal and external subnets, using a full bag of exploits.
To spread, SpeakUp’s propagation code exploits known vulnerabilities in six different Linux distributions, including JBoss Enterprise Application Platform security bypass vulnerabilities (CVE-2012-0874); a JBoss Seam Framework remote code execution (RCE) flaw (CVE-2010-1871); a JBoss AS 3/4/5/6 RCE exploit; a Oracle WebLogic wls-wsat Component Deserialization RCE (CVE-2017-10271); a vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (CVE-2018-2894); a Hadoop YARN ResourceManager command-execution exploit; and an Apache ActiveMQ Fileserver File Upload RCE vulnerability (CVE-2016-3088).
“A successful exploitation of one of the vulnerabilities will result in deploying the original ibus script on the exploited server,” according to Check Point’s analysis, which added that it also has the capability to infect Macs.
A Bigger Threat in the Making?
Right now, the observed file downloads that the backdoor is dropping are simple Monero-mining scripts. However, SpeakUp’s authors have the ability to download any code they want to the servers. Check Point analysts said that the mining code could be a sort of beta test ahead of a much more concerning malware drop to come.
“At the moment SpeakUp serves XMRig miners to its listening infected servers,” according to the research. According to XMRHunter, the wallets hold a total of around 107 Monero coins right now, which is small potatoes in the grand scheme of things.
“SpeakUp’s obfuscated payloads and propagation technique is beyond any doubt the work of a bigger threat in the making,” according to the analysis. “It is hard to imagine anyone would build such a compound array of payloads just to deploy few miners. The threat actor behind this campaign can at any given time deploy additional payloads, potentially more intrusive and offensive. It has the ability to scan the surrounding network of an infected server and distribute the malware.”
The initial victims have in Eastern Asia and Latin America, but researchers believe that the U.S. could be the next target, if not the rest of the world. Given the impressive propagation tactics, a non-existent detection rate on VirusTotal, and the fact that the threat surface contains servers that run the top sites on the internet, SpeakUp could end up being a very big deal, researchers said: “This campaign, while still relatively new, can evolve into something bigger and potentially more harmful…[and] at the time of writing this article, it has no detections in VirusTotal.”
Attribution
While the exact identity of the threat actor behind this new attack is still unconfirmed, it’s clear that it’s someone or a group with plenty of malware-authoring chops.
“While currently we’ve spotted a cryptocurrency mining payload, the most notable aspect is the spreading abilities demonstrated in the code,” Vanunu told Threatpost. “Not only this was highly obfuscated, the variety of exploits used could potentially mean we have a highly skilled threat actor behind it.”
Check Point researchers were able to correlate SpeakUp’s author with a possibly Russian-speaking malware developer under the name of Zettabit.
“Although SpeakUp is implemented differently [than Zettabit’s other code], it has a lot in common with Zettabit’s craftmanship,” according to the analysis.
In terms of what links Zettabit to this malware, “we’ve read all of his Hack Forums posts and Github projects, so this avatar definitely knows his way around botnets,” Vanunu told Threatpost. “He even released a free example of botnet code for anyone to use. And while researching, we’ve identified two unique strings that were mentioned and used by Zettabit himself a couple of time in the past.”
This story was updated at 2:23 p.m. ET on February 4 to reflect additional details from the researchers.