SpeakUp

SpeakUp is a potent malware discovered by Shisong Qin and Bodong Zhao, exploiting the Speakup screen reader driver in the Linux kernel (CVE-2020-27815). This Trojan, named after one of its command and control names, was found to exploit vulnerabilities in six different Linux distributions. It exhibits a unique propagation behavior, spreading internally within the infected subnet and beyond to new IP ranges by exploiting remote code execution vulnerabilities. The malware also demonstrated the ability to infect Mac devices with an undetected backdoor. SpeakUp uses HTTP POST and GET requests for communication with its main Command and Control (C&C) server, which is the compromised website speakupomaha[.]com. The primary function of SpeakUp is to serve XMRig miners to its listening infected servers, thereby utilizing them for cryptocurrency mining. Its persistence mechanism ensures that only one instance remains alive at all times, using cron and an internal mutex. SpeakUp equips its backdoors with a Python script known as "i," enabling the backdoor to scan and infect more Linux servers within its internal and external subnets. The malware's modules bear some resemblance to liteHTTP, a C# based bot targeting Windows clients. While the exact identity of the threat actor behind this campaign remains unconfirmed, Check Point Researchers correlated SpeakUp's author with a malware developer known as Zettabit. A profile on Hack Forums suggests that the author might be Russian-speaking, given the language used in many comments. Unique User-Agents used in the HTTP communication between SpeakUp and the C&C could potentially lead to the identification of the threat actor. Furthermore, there are indications of a possible connection between SpeakUp and East Asia, though this link remains speculative.