New Speakup Linux Backdoor Trojan Used in Widespread Attacks

Security researchers at Check Point have identified a new Trojan named Speakup which is being used in targeted attacks on Linux servers. The Speakup Linux backdoor Trojan can also be used to attack Mac devices.

The Trojan is deployed via exploits of vulnerabilities across six Linux distributions, including the recently identified ThinkPHP vulnerability, CVE-2018-20062.

 The current campaign is targeting Linux devices in China, India, the Philippines, and Latin America. The Trojan was first detected in late December, but infections have increased considerably since January 22, 2019. While the malware is now being recognized by several AV engines, at the time of analysis, the malware was not being detected as malicious.

Once installed, the malware communicates with its C2 server and registers the victim’s machine. The malware attempts to spread laterally within the infected subnet via a range of RCE vulnerabilities including CVE-2012-0874, CVE-2010-1871, CVE-2017-10271, CVE-2018-2894, CVE-2016-3088, the Hadoop YARN ResourceManager command execution flaw, and a JBoss AS 3/4/5/6 RCE vulnerability.

A Python script is included which scans for further Linux servers within both internal and external subnets. Access is gained through brute force means using a pre-defined list of usernames/passwords. Persistence is achieved via cron and an internal mutex which ensures only one instance remains alive at any one time.

The Speakup Linux backdoor Trojan continuously communicates with its C2 and downloads and runs a range of different files, including an XMRig miner. The Trojan, under its C2 control, can run arbitrary code, download and execute files, stop running processes on an infected host, uninstall programs, and update installed files.

Check Point researchers have attributed the Speakup Linux backdoor Trojan to a threat actor known as Zettabithf.

The complex nature of the malware suggests it is likely that the goal of the attacker is not only to deploy cryptocurrency miners. Once infected, any number of different malware payloads can be deployed. Check Point suggests that more intrusive and offensive campaigns are likely to be launched.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of