SpeakUp is a Trojan backdoor that targets both Linux and OSX devices. It was first observed in January 2019. [1]

ID: S0374
Platforms: Linux, macOS

Version: 1.0

Techniques Used

EnterpriseT1110Brute ForceSpeakUp can perform brute forcing using a pre-defined list of usernames and passwords in an attempt to log in to administrative panels.[1]
EnterpriseT1132Data EncodingSpeakUp encodes C&C communication using Base64.[1]
EnterpriseT1203Exploitation for Client ExecutionSpeakUp attempts to exploit the following vulnerabilities in order to execute its malicious script: CVE-2012-0874, CVE-2010-1871, CVE-2017-10271, CVE-2018-2894, CVE-2016-3088, JBoss AS 3/4/5/6, and the Hadoop YARN ResourceManager.[1]
EnterpriseT1107File DeletionSpeakUp deletes files to remove evidence on the machine.[1]
EnterpriseT1168Local Job SchedulingSpeakUp uses cron tasks to ensure persistence.[1]
EnterpriseT1046Network Service ScanningSpeakUp checks for availability of specific ports on servers.[1]
EnterpriseT1027Obfuscated Files or InformationSpeakUp encodes its second-stage payload with Base64.[1]
EnterpriseT1105Remote File CopySpeakUp downloads and executes additional files from a remote server.[1]
EnterpriseT1064ScriptingSpeakUp uses Perl and Python scripts.[1]
EnterpriseT1071Standard Application Layer ProtocolSpeakUp uses POST and GET requests over HTTP to communicate with its main C&C server.[1]
EnterpriseT1082System Information DiscoverySpeakUp uses the cat /proc/cpuinfo | grep -c “cpu family” 2>&1 command to gather system information.[1]
EnterpriseT1016System Network Configuration DiscoverySpeakUp uses the ifconfig -a command.[1]
EnterpriseT1049System Network Connections DiscoverySpeakUp uses the arp -a command.[1]
EnterpriseT1033System Owner/User DiscoverySpeakUp uses the whoami command.[1]