September 27, 2023

Researchers has took a campaign in to limelight targeting the Elastix system used in Digium phones.

Tracked as  CVE-2021-45461 with CVSS of 9.8 , exist in the Rest Phone Apps module to implant a web shell on VoIP servers. The attackers used the web shell to exfiltrate data by dropping additional payloads inside the target’s Digium phone software.


A high volume of malicious traffic likely originating from more than 500,000 unique samples over the period spanning from mid-December 2021 till the end of March 2022. The traffic targets Digium open source Asterisk communication software for VoIP phone devices.

The attack chains start with a code retrieving a shell script dropper from a remote server, which, in turn, downloads and executes obfuscated PHP backdoor in multiple locations in the file system.

The PHP backdoor also creates several root user accounts and set up a scheduled task to maintain the persistence and re-infect the host system.

The malware supports arbitrary commands via the cmd request parameter along with built-in default commands that can allow operators to carry out malicious activities.


This research was conducted and documented by researchers from Palo Alto Networks

Indicators of Compromise

  • hxxp[://]37[.]49[.]230[.]74/k[.]php
  • hxxp[://]37[.]49[.]230[.]74/z/wr[.]php
  • hxxp[://]37[.]49[.]230[.]74/z/post/noroot[.]php
  • hxxp[://]37[.]49[.]230[.]74/z/post/root[.]php

Original Shell Scripts – SHA256 hashes

  • 000a3688455edacc1dac17539797dc98f055091898a65cd520fb8459c1bc2a2a
  • 0012342749e3bae85a9269a93661e2eb00437c71b2bca2eaca458147f9fe8471
  • 001305bd3be538e50014d42f02dee55056b73a1df770e2605aded8a970091f2f
  • 0050232e04880fbe1d0c670b711b66bb46c32febdc9513074612c90f1f24631b
  • 0059d7b736dc1e61bd5b22fff601579fbc8a12b00981fdd34fd13f0fb44688b0
  • 0088cba19eec78daee0310854c4bf8f7efc64b89bdc7517f0a1c7ebbba673f72

Local Filepaths

  • /var/www/html/admin/assets/ajax.php
  • /var/www/html/admin/assets/config.php
  • /var/www/html/admin/assets/js/config.php
  • /var/www/html/admin/modules/core/ajax.php
  • /var/www/html/digium_phones/ajax.php
  • /var/www/html/rest_phones/ajax.php

Leave a Reply

%d bloggers like this: