Linux servers are the target of a new crypto-mining campaign in which a malware dubbed "Speak Up" implants a backdoor Trojan by exploiting known vulnerabilities in six different Linux distributions, according to research from Check Point.
The malware has been seen targeting servers predominantly in Asia and Latin America, including machines hosted by Amazon Web Services (AWS) and Mac devices. Because it implants a new backdoor for which there currently are no detections in VirusTotal, the backdoor is reportedly able to evade all security vendors’ anti-virus software, according to today's blog post. Researchers detected Speak Up being used to spread the XMRig crypto-miner to a machine in China, which was reported to VirusTotal on January 9, 2019.
Researchers warned that the malware's "obfuscated payloads and propagation technique is beyond any doubt the work of a bigger threat in the making. It is hard to imagine anyone would build such a compound array of payloads just to deploy few miners. The threat actor behind this campaign can at any given time deploy additional payloads, potentially more intrusive and offensive."
According to the report, the malware remains in communication with its command and control (C&C), receiving its next task instructions on what researchers called a “fixed ‘knock’ interval.” Built-in to the malware is a Python script that enables lateral movement on the network. The script also scans the local networks for open ports, forces its way into nearby systems using a list of predefined usernames and passwords and then uses one of seven exploits to take over unpatched systems.
“This is malware that targets Linux and macOS. Once this malware is on a system, it does all the same things any malware would do. It follows the attack lifecycle verbatim,” said Chris Morales, head of security analytics at Vectra. “Those behaviors include running shell commands, executing files downloaded from a remote C&C server, and updating or uninstalling itself.
“By monitoring the internal network with machine learning, the listed behaviors becomes a list of behaviors that every attack must perform, and every one of these behaviors is detectable. In fact, the more the attack does, the easier it becomes to notice.”