Posted on February 6, 2019 at 10:31 AM
According to the new report published by Check Point security researchers, a new malware campaign seems to be targeting Linux servers in numerous South American and Asian countries. The paper, published on Monday, calls the campaign ‘SpeakUp,’ in reference to one of the command and control names. So far, the threat has used vulnerabilities to infiltrate at least six Linux distributers, although the researchers say that it also endangers macOS.
As it is often the case with new threats, the malware managed to avoid being detected by anti-virus software. Instead, it installs a backdoor which can later be used for further access. Researchers estimate that the SpeakUp campaign managed to affect over 70,000 servers around the world.
Until now, al that those behind the hack used the hacked servers for is to deploy cryptocurrency mining software. The hackers’ focus seems to be on Monero (XMR), which is usually the coin hackers decide to go after in similar campaigns. Researchers managed to trace the wallet that has received mined coins, and they discovered that hackers already managed to mine 107 XMR. The amount is equal to around $4,600.
Check Point’s attempts to determine who is behind the attacks have not been successful so far, although the researchers believe that a group of Russian hackers called Zettabit might be behind the campaign. There is no solid proof to support the theory yet, and SpeakUp is implemented in a different way than the group’s previous malware. However, there are also multiple similarities that point the way towards Zettabit.
What does SpeakUp do?
As mentioned, hackers use a recently patched flaw in the ThinkPHP framework to gain access to unprotected servers. After that, they plant SpeakUp, a backdoor trojan, which is currently using the hacked servers for crypto mining. At the same time, it uses a built-in Python script to continue spreading and infect the networks via brute force attacks.
It can also scan external and internal networks and find new vulnerabilities to exploit, it can run shell commands, download new files from C&C server, update itself, or even uninstall itself if necessary for some reason.
While operational, SpeakUp will contact the C&C server every three seconds and request new orders. Researchers claim that it is also capable of running three commands — notask, newtask, or newerconfig.
More dangerous than it seems
While managing to breach 70,000 servers is no small task, the threat has done little apart from spreading further and mining a little over 100 digital coins. However, its infection methods, obfuscated payloads, propagation techniques and alike also make it far more dangerous hackers decide to change the malware’s purpose.
Check Point warns that the malware payload might be switched to a more damaging code with relative ease. It is not yet clear what the change might include or how the malware would start behaving, but researchers agree that the careful preparations that were done so far are the work of a much bigger threat that has yet to arrive. The effort put into the campaign is far too great to only use SpeakUp for crypto mining, while the ability to deploy additional payloads remain.
Meanwhile, while ThinkPHP is used in countries such as China or Brazil, it is also used in the US. However, there were no cases of this malware infecting US-based servers as of yet, although the researchers believe it might only be a matter of time before it does happen.