Delaware, USA – February 6, 2019 – The new campaign targets Linux and MacOS systems primarily in Asia, Central and South America. Checkpoint’s researchers discovered that adversaries use SpeakUp backdoor to gain access to the systems and install the infamous XMRig for mining Monero cryptocurrency. For initial infection, they exploit CVE-2018-20062 vulnerability that allows them to execute code remotely. Adversaries send and run a Perl-based backdoor, the traces of which are deleted a few seconds after the script is executed. Three weeks ago, any anti-virus solution couldn’t identify the script as malicious. After execution, SpeakUp contacts the command and control server and receives instructions for installing additional malware. Now it’s XMRig, but the backdoor allows adversaries to download and run any malware. In addition, the backdoor exploits a number of known vulnerabilities to try to penetrate the organization’s internal network through a compromised server.
A detailed analysis of another campaign targeted at Linux servers was published by JASK. Attackers used Shellbot malware and SSH brute-force technique to infect as many systems as possible. It is also worth recalling the recent campaign distributed Rabbot malware that used the same technique to install CNRig and CoinHive cryptocurrency miners. To detect your Linux servers misuse and compromise attempts, you can use the Web Application Security Framework rule pack: https://my.socprime.com/en/integrations/web-application-security-framework-arcsight