Safety researchers at Check Point have recognized a new Trojan called Speedup which is being utilized in targeted attacks on Linux servers. The Speedup Linux backdoor Trojan can also be utilized to attack Mac appliances.
The Trojan is installed through abuses of weaknesses via six Linux distributions, including the recently identified ThinkPHP vulnerability, CVE-2018-20062.
The present campaign is targeting Linux appliances in the Philippines, China, India, and Latin America. The Trojan was first noticed in late December, but infections have risen substantially since January 22, 2019. Although the malware is now being acknowledged by numerous AV engines, at the time of analysis, the malware was not being noticed as malevolent.
As soon as fitted, the malware communicates with its C2 server and records the sufferer’s machine. The malware tries to spread laterally within the infected subnet through a variety of RCE weaknesses including CVE-2012-0874, CVE-2010-1871, CVE-2017-10271, CVE-2018-2894, CVE-2016-3088, the Hadoop YARN Resource Manager command implementation fault, and a JBoss AS 3/4/5/6 RCE weakness.
A Python script is included which checks for additional Linux servers within both internal and external subnets. Access is gained via brute force implies using a pre-defined list of usernames/passwords. Perseverance is achieved through cron and an internal mutex which makes sure only one occurrence remains active at any one time.
The Speedup Linux backdoor Trojan constantly communicates with its C2 and copies and runs a variety of different files, including an XMRig miner. The Trojan, under its C2 control, can run arbitrary code, download and execute files, stop running procedures on an infected host, uninstall programs, and update connected files.
Check Point scientists have attributed the Speakup Linux backdoor Trojan to a danger actor known as Zettabithf.
The complicated nature of the malware indicates it is likely that the objective of the attacker is not just to install cryptocurrency miners. When infected, any number of different malware payloads can be installed. Check Point proposes that more intrusive and aggressive campaigns are likely to be introduced.