Check Point researchers have offered up the details on the new SpeakUp backdoor that has been found on servers in China during the 2019 CPX 360 Cybersecurity Summit and Expo.
The malicious actors are taking advantage of CVE-2018-20062, a vulnerability in Chinese PHP frameworks, capable of targeting servers running six different Linux distributions and macOS, Bleeping Computer reported. Through the vulnerability it will use a command injection technique to send shell commands via a GET request’s module.
“Next, it will inject a backdoor by pulling the ibus Perl script payload and store it in /tmp/e3ac24a0bcddfacd010a6c10f4a814bc, which will immediately be launched with the help of a follow-up malicious HTTP request designed to execute the Perl-based backdoor, pause for a couple of seconds and delete the file to remove any indication that something is wrong,” Bleeping Computer wrote.
After SpeakUp is embedded on the server it contacts its command and control server using salted base64 and then it continues on with another of its features, the ability to behave like a worm and spread laterally through a system by brute forcing any admin logins it finds
Once it begins spreading Bleeping Computer said the malware uses a series of known remote code execution vulnerabilities to continue its work.
The Check Point researchers were even able to make a tenuous attribution by finding a connection between SpeakUp with another malware developer who goes by the name of Zettabit.