SpeakUp Threat Report: What Is SpeakUp and How Does It Work?

SpeakUp is a Trojan backdoor that targets both Linux and OSX devices. It was first observed in January 2019. SpeakUp uses Python scripts, POST and GET requests over HTTP to communicate with its main C&C server, and Perl scripts. It checks for availability of specific ports on servers, uses the `arp -a` command, and the `cat /proc/cpuinfo | grep -c “cpu family” 2>&1` command to gather system information. SpeakUp uses the `ifconfig -a` command and the `whoami` command. It uses cron tasks to ensure persistence and can perform brute forcing using a pre-defined list of usernames and passwords in an attempt to log in to administrative panels. SpeakUp encodes its second-stage payload with Base64 and attempts to exploit the following vulnerabilities in order to execute its malicious script: CVE-2012-0874, CVE-2010-1871, CVE-2017-10271

SpeakUp Malware Capabilities

SpeakUp may use Python to execute commands and scripts, as well as to compile code into binary executables. It may also use application layer protocols to communicate with remote systems, and may attempt to get information about running services and network configuration. SpeakUp may also abuse the cron utility to schedule task execution.

• SpeakUp may use Python commands and scripts to execute malicious actions on a compromised system, and may communicate using web-based protocols in order to avoid detection. SpeakUp may also try to gather information about network connections to and from the compromised system, as well as to remote systems. This information may be used to further the goals of an attacker.
• The SpeakUp malware may abuse command and script interpreters to execute commands, scripts, or binaries. This can allow the attacker to gain control of the system and perform various actions, such as enumerating running services and scanning for vulnerabilities. SpeakUp may also attempt to gather system and hardware information, which could be used to determine how best to exploit the system.
• The SpeakUp malware may attempt to gather information about the network configuration and settings of systems they access, including IP and MAC addresses. They may also try to identify the primary user or set of users that commonly uses a system. This information may be collected in a number of different ways, including process ownership, file/directory ownership, session information, and system logs. SpeakUp may abuse the cron utility to schedule task execution for initial or recurring execution of malicious code.
• The SpeakUp tool may be used to exploit software vulnerabilities in order to execute code on a remote system. This can be done by guessing passwords or by encrypting, encoding, or otherwise obfuscating files.
• SpeakUp is a malware that may transfer tools or other files from an external system into a compromised environment. It may also encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Additionally, SpeakUp may delete files left behind by its intrusion activity in order to minimize its footprint.

Ways to Mitigate SpeakUp Malware Attacks

• The SpeakUp malware can be mitigated by monitoring systems for abnormal Python usage and python.exe behavior, which could be an indicator of malicious activity. It is also important to understand standard usage patterns to avoid a high number of false positives. 
• The above text discusses various ways to mitigate the effects of SpeakUp malware, including proper logging of process execution and monitoring for loading of modules associated with specific languages. Additionally, it is advised to view data and events in the context of an adversary's overall behavior in order to identify potential follow-up activities.
• The SpeakUp malware mitigation technique involves monitoring for scheduled task creation from common utilities using command-line invocation. This technique can help to identify illegitimate scheduled tasks that may be created by malware.
• The SpeakUp malware mitigation strategy includes monitoring authentication logs for system and application login failures, detecting file obfuscation, and detecting software exploitation.
• The above text describes some ways to detect and mitigate the SpeakUp malware. Specifically, it recommends monitoring for file creation and transfer activity, unusual network traffic, and suspicious command-line activity.