New “SpeakUp” Malware Targets Linux Servers with Miners

With cryptocurrency being good money these days, so, too, is the allure of installing miners onto servers without the owner’s permission. Earning cryptocurrency requires processing power, which inspired hackers to sneak miners onto other’s hardware and make their victims do all the work instead. A recent strand of malware called SpeakUp is using backdoor attacks to get a miner onto servers running Linux. This is especially worrying, as the software that SpeakUp targets makes up for approximately 90% of the top one million domains in the US!

How SpeakUp Works


SpeakUp functions by exploiting a flaw within ThinkPHP. Once it’s in, it creates a backdoor that allows it to contact a main control server. It notifies the control server that it has claimed a new victim. The control server logs the breach in its database of compromised servers, so it keeps track of all the places it has control of. The control server then sends the malware some instructions on what to do next.

At the moment, SpeakUp seems to only be interested in installing cryptocurrency miners on the servers it infects. It uses Monero as its currency of choice and at the time of writing has managed to accrue around $4500 from these attacks alone. It also gives itself elevated permissions, allowing it to install itself in a way that allows it to persist through restarts.

One of the more worrying traits of SpeakUp is how it spreads. It actively looks for networks connected to the server that it infected. If it finds one that has the same flaw, it automatically attacks and spreads to that server. This makes it very hard to really contain and stop, as it’s able to spread all by itself.

How Far Has It Spread?

At the moment, SpeakUp is focusing on attacking a vulnerability found in Chinese-only systems. As such, the majority of the infected servers are in China. There is, however, some splash damage to other Asian and South American countries after SpeakUp managed to “jump the border” while looking for new networks to infect.


At the moment, the rest of the world seems somewhat untouched; however, the malware can be told to attack servers using a different exploit that will allow it to infect US-based servers, so it may not stay so contained for long.

Is Mining All It Does?


At the moment, yes; all it seems to be doing is installing a miner to make the developer more Monero. The main problem, however, is how the malware is set up to perform tasks sent to it by the control server. While the malware is only installing miners right now, there’s nothing stopping the developer from sending over a new task to infected servers.

This is what makes it such a worrying development for these servers. There’s no telling what the malware is capable of; all we can tell for now is that it has the capacity to take commands from an unknown third party. What those commands could entail specifically is still unknown, but it cannot be anything good!

Speaking Up About SpeakUp

With a new malware making the rounds that hits the vast majority of the top domains, SpeakUp is quite a big threat. While it’s simply making money for its owner for the time being, there’s no knowing how it will evolve in the future.

Does this new development worry you? Let us know below.

Image credit: Bleeping Computer

Simon Batt Simon Batt

Simon Batt is a Computer Science graduate with a passion for cybersecurity.