SpeakUp

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
SpeakUp is a potent malware discovered by Shisong Qin and Bodong Zhao, exploiting the Speakup screen reader driver in the Linux kernel (CVE-2020-27815). This Trojan, named after one of its command and control names, was found to exploit vulnerabilities in six different Linux distributions. It exhibits a unique propagation behavior, spreading internally within the infected subnet and beyond to new IP ranges by exploiting remote code execution vulnerabilities. The malware also demonstrated the ability to infect Mac devices with an undetected backdoor. SpeakUp uses HTTP POST and GET requests for communication with its main Command and Control (C&C) server, which is the compromised website speakupomaha[.]com. The primary function of SpeakUp is to serve XMRig miners to its listening infected servers, thereby utilizing them for cryptocurrency mining. Its persistence mechanism ensures that only one instance remains alive at all times, using cron and an internal mutex. SpeakUp equips its backdoors with a Python script known as "i," enabling the backdoor to scan and infect more Linux servers within its internal and external subnets. The malware's modules bear some resemblance to liteHTTP, a C# based bot targeting Windows clients. While the exact identity of the threat actor behind this campaign remains unconfirmed, Check Point Researchers correlated SpeakUp's author with a malware developer known as Zettabit. A profile on Hack Forums suggests that the author might be Russian-speaking, given the language used in many comments. Unique User-Agents used in the HTTP communication between SpeakUp and the C&C could potentially lead to the identification of the threat actor. Furthermore, there are indications of a possible connection between SpeakUp and East Asia, though this link remains speculative.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Linux
Backdoor
Remote Code ...
Bot
Malware
Exploits
Trojan
Windows
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
XmrigUnspecified
1
XMRig is a type of malware that is particularly harmful to computer systems and devices. It infiltrates the system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold your data hostage for
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2020-27815Unspecified
1
None
Source Document References
Information about the SpeakUp Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
6 months ago
USN-4749-1 | Security
MITRE
a year ago
SpeakUp: A New Undetected Backdoor Linux Trojan - Check Point Research