SecureMac, Inc.

New Linux Malware Appears, Infects Some Macs Along the Way

February 14, 2019

While the average user might think their operating system options only go so far as “PC or Mac”, the truth is that there are many more systems running behind the scenes which power a great deal of our digital infrastructure. Linux is one such system, used by hobbyists, computer enthusiasts, and enterprises to power all kinds of servers and back-end systems. Naturally, it follows that there would be malware for Linux too — though it is rarer than most. According to a story making the rounds on ZDNet and BleepingComputer, …

New Linux Malware Appears, Infects Some Macs Along the Way

While the average user might think their operating system options only go so far as “PC or Mac”, the truth is that there are many more systems running behind the scenes which power a great deal of our digital infrastructure. Linux is one such system, used by hobbyists, computer enthusiasts, and enterprises to power all kinds of servers and back-end systems. Naturally, it follows that there would be malware for Linux too — though it is rarer than most. According to a story making the rounds on ZDNet and BleepingComputer, though, a virulent new form of Linux malware is taking root worldwide — and it works on macOS, too.

Researchers call it “SpeakUp,” and it was first discovered just weeks ago in mid-January. After analysis of how it works, security professionals found it to be both sophisticated and powerful. It uses a vulnerability in a Chinese version of PHP, a server-focused programming language, called ThinkPHP; this vulnerability has been around since at least December, but SpeakUp is perhaps the most potent malware to yet exploit the loophole. By using the vulnerability, SpeakUp primarily infects Linux servers, after which it begins a rapid series of actions.

First, it phones home to its command and control server for instructions. It receives instructions and its malicious payload all while carefully encrypting its traffic to make it more difficult to pinpoint where its instructions originate. Meanwhile, SpeakUp uses a particular Python script to probe the server’s local network for other devices it can infect; if it finds targets, it spreads to them and begins the process all over again.

SpeakUp is built to take up residence on six different Linux distributions and macOS, giving it surprising reach. Researchers noted that initial infections were hyper-localized to China, but infections have since spread around the Asia-Pacific region and to South America — likely through Internet-connected servers inside company networks.

What’s all this work for in the end? Money, of course. SpeakUp so far hasn’t engaged in espionage or theft, but instead deploys Monero cryptocurrency miners to generate funds for the hackers. That doesn’t mean that’s all they can do, though; SpeakUp not only becomes persistent on its infected hosts, but it can retrieve new payloads from its masters at any time. 

For the average Mac users, this is not likely to be a threat just yet — however, it’s one piece of malware worth watching closely. Though it not known to have infected US-based machines, recent spikes in the number of infections mean that could happen at any time. However, impacts should remain minimal as it seems unlikely that many US-based systems would utilize a Chinese PHP framework. For now, researchers are keeping a close eye on this one. 

Get the latest security news and deals