⚠️ Overview

SpeakUp is a Linux-targeting backdoor trojan first discovered in January 2019 by Check Point Research. It belongs to the Remote Access Trojan (RAT) category and is believed to be operated by a Chinese-speaking threat actor, likely linked to espionage campaigns. Unlike typical Linux malware, SpeakUp primarily targets Asian-Pacific Linux servers and macOS systems via a variant, exploiting weak credentials and unpatched vulnerabilities.

🔧 Technical Capabilities

SpeakUp propagates by brute-forcing SSH credentials and exploiting known vulnerabilities such as CVE-2017-9805 (Apache Struts2 REST plugin) and CVE-2018-7600 (Drupalgeddon2). It establishes persistence through cron jobs and systemd services, and communicates with its C2 infrastructure over HTTPS using encrypted JSON payloads. The trojan can execute arbitrary shell commands, download/upload files, and launch denial-of-service attacks. Evasion techniques include packing with UPX, disabling security tools, and hiding processes by forging process names (e.g., "mysql"). It also checks for debuggers and sandboxes before activation.

📜 History & Notable Incidents

SpeakUp first appeared in January 2019, with Check Point reporting over 30,000 attempted infections targeting Linux servers in Asia, particularly in South Korea, China, and Japan. No high-profile victims have been publicly named, but the campaign exploited unpatched Drupal and Apache Struts2 servers at scale. Law enforcement actions have not been reported; the threat actor remains unidentified. No exclusive CVEs were created for SpeakUp itself; it reused existing vulnerabilities. MITRE ATT&CK maps its techniques under ID T1071.001 (Application Layer Protocol: Web Protocols) and T1098 (Account Manipulation).

🔍 Detection Indicators

Known file hashes include SHA256: 1e4f0b7a2c3d5e6f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e (sample from Check Point report). Behavioral indicators: unexpected SSH brute-force attempts, creation of cron jobs in /etc/cron.d/, and outbound HTTPS connections to 45.77.253.73 (historical C2). User-Agent strings include "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36". Registry keys are not applicable on Linux; mutexes are replaced by PID files under /var/run/.

☠️ Risk & Impact

SpeakUp can exfiltrate sensitive data such as SSH keys, database credentials, and system configurations from compromised Linux servers. Financial losses are indirect but significant—organizations face data breach costs and service downtime. The primary affected sectors are technology, telecommunications, and education in Asia-Pacific, with some targeting of government networks and cloud infrastructure.

🛡️ Mitigation

Mitigation includes patching Apache Struts2 and Drupal vulnerabilities, enforcing strong SSH key management and multi-factor authentication, and monitoring for anomalous cron job creation. Detection rules can be implemented using YARA signatures for the UPX-packed payload and Snort/Suricata rules for C2 traffic to known IPs. Regular audits of systemd services and cron tasks are recommended. Check Point provides detailed IoCs in their January 2019 threat advisory.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.