Computer techologies

Check Point: SpeakUp backdoor has become one of the most active threats in January

Researchers at Check Point published the traditional report Global Threat Impact Index for January 2019. Experts warned that SpeakUp, a backdoor trojan now spreading mining malware, was one of the most active threats of the past month.

Let me remind you that SpeakUp attacks are mainly aimed at servers in East Asia and Latin America, including machines hosted on AWS. At the same time, malware can be dangerous not only for six Linux distributions, but also for devices on macOS.

Earlier, Check Point analysts have already written that malware comes with a built-in Python script that is used to spread the infection in the local network. The script scans the local network and searches for open ports, brute-force “neighboring” systems using a previously prepared list of logins and passwords, and then tries to use one of seven exploits from its arsenal against them.

Currently, the hack group using SpeakUp, applies backdoor to install mining Malvari on infected servers. In this way, hackers get Monero cryptocurrency. However, malware can deliver any payload and run it on compromised machines, which is why Check Point researchers consider Speakup as a serious threat.

Besides SpeakUp, in January, the first four lines of the ranking of the most active malware programs have traditionally been taken by cryptocurrency miners. Coinhive remains the main malware that has attacked 12% of organizations worldwide. XMRig again became the second most common malware (8%), followed by the miner Cryptoloot (6%).

Despite the fact that the January report presents four miners, half of all malicious forms from the top ten can be used to download additional malicious Software on infected machines.

“In January, there were small changes in the forms of malware targeted at organizations around the world, but we are finding new ways to spread malware. Such threats are a serious warning of future threats. Backdoors, such as Speakup, can avoid detection and then spread potentially dangerous malware to infected machines. Since Linux is widely used on corporate servers, we expect Speakup to become a threat to many companies, the scale and seriousness of which will grow during the year, ”comments Vasily Dyagilev, head of the representative office of Check Point Software Technologies in Russia and the CIS. – In addition, for the second month in a row, BadRabbit is in the top three most active malicious programs in Russia. So attackers exploit all possible vulnerabilities to make a profit. ”

The most active threats in January 2019:

  • Coinhive (12%) is a miner using the power of the victim’s CPU or video card and other resources for cryptocurrency mining.
  • M XMRig (8%)open source software, first discovered in May 2017, is embedded JavaScript uses a large amount of computing resources of end-user computers for mining. Used for mining cryptocurrency Monero;
  • Cryptoloot (6%) – a miner using the power of the victim’s CPU or video card and other resources for mining cryptocurrency.

As for mobile threats, here Hiddad, a modular Android backdoor, which provides the privileges of downloadable Malvari, replaced Triada in the first place. Lotoor ranked second, while Triada Trojan went down to third place.

The most active mobile threats in January 2019:

  • Hiddad is a modular backdoor for Android, which grants the rights to the superuser of the loaded malware, and also helps
  • Lotoor – uses vulnerabilities in the Android operating system to gain privileged root access on hacked mobile devices;
  • Triada – a modular Android Trojan that provides root privileges for behind loaded Malvari, and also helps to introduce it into system processes.

Check Point analysts’ conclusions were commented by Alexei Malnev, the head of the incident monitoring and response center at Jet Jet CSIRT of Jet Infosystems:

“Unlike most modern threats, SpeakUP Trojan is delivered via the communication channel and to Linux servers. Usually, attackers use email for these purposes, and threats, as a rule, target Microsoft Windows platforms.

Not surprisingly, most known anti-virus programs are not yet able to detect the threat. The reason is that 75% of successful attacks are implemented using 0-day vulnerabilities, which are designed to overcome known signature-based protection. You can detect such threats with the help of Web Application Firewall monitoring systems: for example, they allow you to detect any downloads of the shellcode. It is also useful to use a complex of behavioral analysis systems — they can be used to detect anomalies in network traffic, user behavior, and running processes. If an infection has occurred, then the monitoring of information security incidents will help. With it, you can detect malicious activity at the stage of horizontal distribution in the infrastructure – until the final realization of the threat. ”