SpeakUp – Backdoor Linux Trojan

Check Point researchers have spotted a new campaign exploiting Linux servers to implant a new Backdoor which evades all security vendors. The new Trojan, named “SpeakUp” after one of its command and control names, exploits known vulnerabilities in six different Linux distributions.

SpeakUp acts to propagate internally within the infected subnet, and beyond to new IP ranges, exploiting remote code execution vulnerabilities. In addition, SpeakUp presented ability to infect Mac devices with the undetected backdoor.

This project was created by a user called zettabithf which is linked to a user with the same name in Hack Forums. The Hack Forums profile may imply the author of SpeakUp backdoor is Russian speaking, as many of the comments are written in this language. He also seems to be a botnet developer, providing recommendations and publishing his LiteHTTP bot, which seems to have a well-designed GUI interface.

Further details can be found here – https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/

IOCs

Md5:

SpeakUp Scripts:

0a4e5831a2d3115acb3e989f0f660a6f
0b5e1eb67be7c3020610b321f68375c1
968d1906be7eb8321a3afac5fde77467
074d7a4417d55334952d264c0345d885
f357f32d7c2ddfef4b5850e7506c532b
b6311bffcea117dceac5ccac0a243ae5
2adf4e4512aaafab75e8411aa7121ffa
a73c7b777d31b0a8ef270809e2ed6510
114cda60d215e44baeef22b7db0c64d5
8f725fc5406ebf679c5c7ade3e8d5f70
4a80a075c7c6b5e738a7f4b60b7b101f
e18749e404baec2aa29f4af001164d1b
1a377b5d5d2162327f0706cc84427780
1da94e156609d7e880c413a124bad004
713260a53eff05ad44aad8d6899f1c6e
36cda3c77ba380d6388a01aafcbaa6c7
0f83482368343f5c811bac84a395d2c0
8dd6cb5f33d25512805c70bd3db5f433
e4ca1e857034cbe0428d431c15ec8608
36502273cee61825dc97d62a3dffe729
f16c5a6342ccc253b1de177d3fa310b1
08d7674532cc226931570e6a99d5ba30
279c4aa955085480f3ad0c19aa36a93b

XMRig Miners:

f79be3df4cbfe81028040796733ab07f
a21a3d782d30b51515834a7bf68adc8e
c572a10ca12f3bd9783c6d576aa080fb
b60ec230644b740ca4dd6fd45059a4be
5e6b6fcd7913ae4917b0cdb0f09bf539
ae875c496535be196449547a15205883
068d424a1db93ec0c1f90f5e501449a3
996e0c8190880c8bf1b8ffb0826cf30f

C&Cs:

67[.]209.177.163
173[.]82.104.196
5[.]196.70.86
120[.]79.247.183
5[.]2.73.127/lnsqqFE2jK/pprtnp153WWW.php
Speakupomaha[.]com/misc/ui/images/Indxe.php
Linuxservers[.]000webhostapp[.]com/hp.html
linuxsrv134[.]xp3[.]biz

Monero Wallets:

47UW2Qv7AB4CsD8L5WWSvx58ztrzHhcMeYN7AJry9aMZhGDLXGwBHLv8LpaDUxpmdWfqbbfrqpdieQAeVSMCU1qY4BFABPY
4Aa3TcU7ixMVcYwbsw8ENVbFwt4ZuqrNBVij5TRvPCTpGRK5BKBHQPu7ahT7z2A6547a5Lcn7yPZV1xU22ZbviqxUX7JVuP
4An3Radh69LgcTHJf1U3awa9ffej4b6DcUmEv8wirsDm8zRMSjifrwybH2AzHdEsW8eew3rFtk4QbGJMxqitfxmZJhABxpT

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: