Skip to content

S0374 SpeakUp

SpeakUp is a Trojan backdoor that targets both Linux and OSX devices. It was first observed in January 2019. 1

Item Value
ID S0374
Associated Names
Version 1.1
Created 17 April 2019
Last Modified 29 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols SpeakUp uses POST and GET requests over HTTP to communicate with its main C&C server. 1
enterprise T1110 Brute Force -
enterprise T1110.001 Password Guessing SpeakUp can perform brute forcing using a pre-defined list of usernames and passwords in an attempt to log in to administrative panels. 1
enterprise T1059 Command and Scripting Interpreter SpeakUp uses Perl scripts.1
enterprise T1059.006 Python SpeakUp uses Python scripts.1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding SpeakUp encodes C&C communication using Base64. 1
enterprise T1203 Exploitation for Client Execution SpeakUp attempts to exploit the following vulnerabilities in order to execute its malicious script: CVE-2012-0874, CVE-2010-1871, CVE-2017-10271, CVE-2018-2894, CVE-2016-3088, JBoss AS 3/4/5/6, and the Hadoop YARN ResourceManager. 1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion SpeakUp deletes files to remove evidence on the machine. 1
enterprise T1105 Ingress Tool Transfer SpeakUp downloads and executes additional files from a remote server. 1
enterprise T1046 Network Service Discovery SpeakUp checks for availability of specific ports on servers.1
enterprise T1027 Obfuscated Files or Information SpeakUp encodes its second-stage payload with Base64. 1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.003 Cron SpeakUp uses cron tasks to ensure persistence. 1
enterprise T1082 System Information Discovery SpeakUp uses the cat /proc/cpuinfo
enterprise T1016 System Network Configuration Discovery SpeakUp uses the ifconfig -a command. 1
enterprise T1049 System Network Connections Discovery SpeakUp uses the arp -a command. 1
enterprise T1033 System Owner/User Discovery SpeakUp uses the whoami command. 1