S0374 SpeakUp
SpeakUp is a Trojan backdoor that targets both Linux and OSX devices. It was first observed in January 2019. 1
| Item | Value |
|---|---|
| ID | S0374 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 17 April 2019 |
| Last Modified | 29 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | SpeakUp uses POST and GET requests over HTTP to communicate with its main C&C server. 1 |
| enterprise | T1110 | Brute Force | - |
| enterprise | T1110.001 | Password Guessing | SpeakUp can perform brute forcing using a pre-defined list of usernames and passwords in an attempt to log in to administrative panels. 1 |
| enterprise | T1059 | Command and Scripting Interpreter | SpeakUp uses Perl scripts.1 |
| enterprise | T1059.006 | Python | SpeakUp uses Python scripts.1 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | SpeakUp encodes C&C communication using Base64. 1 |
| enterprise | T1203 | Exploitation for Client Execution | SpeakUp attempts to exploit the following vulnerabilities in order to execute its malicious script: CVE-2012-0874, CVE-2010-1871, CVE-2017-10271, CVE-2018-2894, CVE-2016-3088, JBoss AS 3/4/5/6, and the Hadoop YARN ResourceManager. 1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | SpeakUp deletes files to remove evidence on the machine. 1 |
| enterprise | T1105 | Ingress Tool Transfer | SpeakUp downloads and executes additional files from a remote server. 1 |
| enterprise | T1046 | Network Service Discovery | SpeakUp checks for availability of specific ports on servers.1 |
| enterprise | T1027 | Obfuscated Files or Information | SpeakUp encodes its second-stage payload with Base64. 1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.003 | Cron | SpeakUp uses cron tasks to ensure persistence. 1 |
| enterprise | T1082 | System Information Discovery | SpeakUp uses the cat /proc/cpuinfo |
| enterprise | T1016 | System Network Configuration Discovery | SpeakUp uses the ifconfig -a command. 1 |
| enterprise | T1049 | System Network Connections Discovery | SpeakUp uses the arp -a command. 1 |
| enterprise | T1033 | System Owner/User Discovery | SpeakUp uses the whoami command. 1 |