SpeakUp

SpeakUp is a Trojan backdoor that targets both Linux and OSX devices. It was first observed in January 2019. [1]

ID: S0374
Type: MALWARE
Platforms: Linux, macOS
Version: 1.1
Created: 17 April 2019
Last Modified: 29 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

SpeakUp uses POST and GET requests over HTTP to communicate with its main C&C server. [1]

Enterprise T1110 .001 Brute Force: Password Guessing

SpeakUp can perform brute forcing using a pre-defined list of usernames and passwords in an attempt to log in to administrative panels. [1]

Enterprise T1059 Command and Scripting Interpreter

SpeakUp uses Perl scripts.[1]

.006 Python

SpeakUp uses Python scripts.[1]

Enterprise T1132 .001 Data Encoding: Standard Encoding

SpeakUp encodes C&C communication using Base64. [1]

Enterprise T1203 Exploitation for Client Execution

SpeakUp attempts to exploit the following vulnerabilities in order to execute its malicious script: CVE-2012-0874, CVE-2010-1871, CVE-2017-10271, CVE-2018-2894, CVE-2016-3088, JBoss AS 3/4/5/6, and the Hadoop YARN ResourceManager. [1]

Enterprise T1070 .004 Indicator Removal: File Deletion

SpeakUp deletes files to remove evidence on the machine. [1]

Enterprise T1105 Ingress Tool Transfer

SpeakUp downloads and executes additional files from a remote server. [1]

Enterprise T1046 Network Service Discovery

SpeakUp checks for availability of specific ports on servers.[1]

Enterprise T1027 Obfuscated Files or Information

SpeakUp encodes its second-stage payload with Base64. [1]

Enterprise T1053 .003 Scheduled Task/Job: Cron

SpeakUp uses cron tasks to ensure persistence. [1]

Enterprise T1082 System Information Discovery

SpeakUp uses the cat /proc/cpuinfo | grep -c "cpu family" 2>&1 command to gather system information. [1]

Enterprise T1016 System Network Configuration Discovery

SpeakUp uses the ifconfig -a command. [1]

Enterprise T1049 System Network Connections Discovery

SpeakUp uses the arp -a command. [1]

Enterprise T1033 System Owner/User Discovery

SpeakUp uses the whoami command. [1]

References