March 25, 2023

Researchers has took a campaign in to limelight targeting the Elastix system used in Digium phones.

Tracked as  CVE-2021-45461 with CVSS of 9.8 , exist in the Rest Phone Apps module to implant a web shell on VoIP servers. The attackers used the web shell to exfiltrate data by dropping additional payloads inside the target’s Digium phone software.

Advertisements

A high volume of malicious traffic likely originating from more than 500,000 unique samples over the period spanning from mid-December 2021 till the end of March 2022. The traffic targets Digium open source Asterisk communication software for VoIP phone devices.

The attack chains start with a code retrieving a shell script dropper from a remote server, which, in turn, downloads and executes obfuscated PHP backdoor in multiple locations in the file system.

The PHP backdoor also creates several root user accounts and set up a scheduled task to maintain the persistence and re-infect the host system.

The malware supports arbitrary commands via the cmd request parameter along with built-in default commands that can allow operators to carry out malicious activities.

Advertisements

This research was conducted and documented by researchers from Palo Alto Networks

Indicators of Compromise

  • hxxp[://]37[.]49[.]230[.]74/k[.]php
  • hxxp[://]37[.]49[.]230[.]74/z/wr[.]php
  • hxxp[://]37[.]49[.]230[.]74/z/post/noroot[.]php
  • hxxp[://]37[.]49[.]230[.]74/z/post/root[.]php

Original Shell Scripts – SHA256 hashes

  • 000a3688455edacc1dac17539797dc98f055091898a65cd520fb8459c1bc2a2a
  • 0012342749e3bae85a9269a93661e2eb00437c71b2bca2eaca458147f9fe8471
  • 001305bd3be538e50014d42f02dee55056b73a1df770e2605aded8a970091f2f
  • 0050232e04880fbe1d0c670b711b66bb46c32febdc9513074612c90f1f24631b
  • 0059d7b736dc1e61bd5b22fff601579fbc8a12b00981fdd34fd13f0fb44688b0
  • 0088cba19eec78daee0310854c4bf8f7efc64b89bdc7517f0a1c7ebbba673f72

Local Filepaths

  • /var/www/html/admin/assets/ajax.php
  • /var/www/html/admin/assets/config.php
  • /var/www/html/admin/assets/js/config.php
  • /var/www/html/admin/modules/core/ajax.php
  • /var/www/html/digium_phones/ajax.php
  • /var/www/html/rest_phones/ajax.php
Tags:

Leave a Reply

You may have missed

Github seizes Exposed RSA SSH Key

Github seizes Exposed RSA SSH Key

March 24, 2023
MITRE Risk Model Manager Platform

MITRE Risk Model Manager Platform

March 24, 2023
Pwn2Own Vancouver 2023 -Day 2 Summary

Pwn2Own Vancouver 2023 -Day 2 Summary

March 24, 2023
Pwn2Own Vancouver 2023 -Day 1 Summary

Pwn2Own Vancouver 2023 -Day 1 Summary

March 24, 2023
ServiceNow AI and Security Enhancements in Utah release

ServiceNow AI and Security Enhancements in Utah release

March 24, 2023
LionsGate Exposes User Data

LionsGate Exposes User Data

March 23, 2023
%d bloggers like this: