SpeakUp – Backdoor Linux Trojan
Check Point researchers have spotted a new campaign exploiting Linux servers to implant a new Backdoor which evades all security vendors. The new Trojan, named “SpeakUp” after one of its command and control names, exploits known vulnerabilities in six different Linux distributions.
SpeakUp acts to propagate internally within the infected subnet, and beyond to new IP ranges, exploiting remote code execution vulnerabilities. In addition, SpeakUp presented ability to infect Mac devices with the undetected backdoor.
This project was created by a user called zettabithf which is linked to a user with the same name in Hack Forums. The Hack Forums profile may imply the author of SpeakUp backdoor is Russian speaking, as many of the comments are written in this language. He also seems to be a botnet developer, providing recommendations and publishing his LiteHTTP bot, which seems to have a well-designed GUI interface.
Further details can be found here – https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/
IOCs
Md5:
SpeakUp Scripts:
| 0a4e5831a2d3115acb3e989f0f660a6f |
| 0b5e1eb67be7c3020610b321f68375c1 |
| 968d1906be7eb8321a3afac5fde77467 |
| 074d7a4417d55334952d264c0345d885 |
| f357f32d7c2ddfef4b5850e7506c532b |
| b6311bffcea117dceac5ccac0a243ae5 |
| 2adf4e4512aaafab75e8411aa7121ffa |
| a73c7b777d31b0a8ef270809e2ed6510 |
| 114cda60d215e44baeef22b7db0c64d5 |
| 8f725fc5406ebf679c5c7ade3e8d5f70 |
| 4a80a075c7c6b5e738a7f4b60b7b101f |
| e18749e404baec2aa29f4af001164d1b |
| 1a377b5d5d2162327f0706cc84427780 |
| 1da94e156609d7e880c413a124bad004 |
| 713260a53eff05ad44aad8d6899f1c6e |
| 36cda3c77ba380d6388a01aafcbaa6c7 |
| 0f83482368343f5c811bac84a395d2c0 |
| 8dd6cb5f33d25512805c70bd3db5f433 |
| e4ca1e857034cbe0428d431c15ec8608 |
| 36502273cee61825dc97d62a3dffe729 |
| f16c5a6342ccc253b1de177d3fa310b1 |
| 08d7674532cc226931570e6a99d5ba30 |
| 279c4aa955085480f3ad0c19aa36a93b |
XMRig Miners:
f79be3df4cbfe81028040796733ab07f
a21a3d782d30b51515834a7bf68adc8e
c572a10ca12f3bd9783c6d576aa080fb
b60ec230644b740ca4dd6fd45059a4be
5e6b6fcd7913ae4917b0cdb0f09bf539
ae875c496535be196449547a15205883
068d424a1db93ec0c1f90f5e501449a3
996e0c8190880c8bf1b8ffb0826cf30f
C&Cs:
| 67[.]209.177.163 |
| 173[.]82.104.196 |
| 5[.]196.70.86 |
| 120[.]79.247.183 |
| 5[.]2.73.127/lnsqqFE2jK/pprtnp153WWW.php |
| Speakupomaha[.]com/misc/ui/images/Indxe.php |
| Linuxservers[.]000webhostapp[.]com/hp.html |
| linuxsrv134[.]xp3[.]biz |
Monero Wallets:
47UW2Qv7AB4CsD8L5WWSvx58ztrzHhcMeYN7AJry9aMZhGDLXGwBHLv8LpaDUxpmdWfqbbfrqpdieQAeVSMCU1qY4BFABPY
4Aa3TcU7ixMVcYwbsw8ENVbFwt4ZuqrNBVij5TRvPCTpGRK5BKBHQPu7ahT7z2A6547a5Lcn7yPZV1xU22ZbviqxUX7JVuP
4An3Radh69LgcTHJf1U3awa9ffej4b6DcUmEv8wirsDm8zRMSjifrwybH2AzHdEsW8eew3rFtk4QbGJMxqitfxmZJhABxpT
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.