May 13, 2024

Researchers has took a campaign in to limelight targeting the Elastix system used in Digium phones.

Tracked as  CVE-2021-45461 with CVSS of 9.8 , exist in the Rest Phone Apps module to implant a web shell on VoIP servers. The attackers used the web shell to exfiltrate data by dropping additional payloads inside the target’s Digium phone software.

Advertisements

A high volume of malicious traffic likely originating from more than 500,000 unique samples over the period spanning from mid-December 2021 till the end of March 2022. The traffic targets Digium open source Asterisk communication software for VoIP phone devices.

The attack chains start with a code retrieving a shell script dropper from a remote server, which, in turn, downloads and executes obfuscated PHP backdoor in multiple locations in the file system.

The PHP backdoor also creates several root user accounts and set up a scheduled task to maintain the persistence and re-infect the host system.

The malware supports arbitrary commands via the cmd request parameter along with built-in default commands that can allow operators to carry out malicious activities.

Advertisements

This research was conducted and documented by researchers from Palo Alto Networks

Indicators of Compromise

  • hxxp[://]37[.]49[.]230[.]74/k[.]php
  • hxxp[://]37[.]49[.]230[.]74/z/wr[.]php
  • hxxp[://]37[.]49[.]230[.]74/z/post/noroot[.]php
  • hxxp[://]37[.]49[.]230[.]74/z/post/root[.]php

Original Shell Scripts – SHA256 hashes

  • 000a3688455edacc1dac17539797dc98f055091898a65cd520fb8459c1bc2a2a
  • 0012342749e3bae85a9269a93661e2eb00437c71b2bca2eaca458147f9fe8471
  • 001305bd3be538e50014d42f02dee55056b73a1df770e2605aded8a970091f2f
  • 0050232e04880fbe1d0c670b711b66bb46c32febdc9513074612c90f1f24631b
  • 0059d7b736dc1e61bd5b22fff601579fbc8a12b00981fdd34fd13f0fb44688b0
  • 0088cba19eec78daee0310854c4bf8f7efc64b89bdc7517f0a1c7ebbba673f72

Local Filepaths

  • /var/www/html/admin/assets/ajax.php
  • /var/www/html/admin/assets/config.php
  • /var/www/html/admin/assets/js/config.php
  • /var/www/html/admin/modules/core/ajax.php
  • /var/www/html/digium_phones/ajax.php
  • /var/www/html/rest_phones/ajax.php
Tags:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You may have missed

Joint CSA advisory on BlackBasta Ransomware

May 12, 2024

Ascension Healthcare was hit by a Cyber Attack

May 11, 2024

Dell Technologies suffers a data breach

May 11, 2024

Google Patches emergency Zeroday Vulnerability in Chrome-CVE-2024-4671

May 10, 2024

ZScaler investigates the data breach claim

May 9, 2024

Cato at RSA 2024 – Log4j Vulnerability is still most exploitable

May 8, 2024

Discover more from TheCyberThrone

Subscribe now to keep reading and get access to the full archive.

Continue reading