VoIP phones using Digium’s software have been targeted to drop a web shell on their servers as part of an attack campaign designed to exfiltrate data by downloading and executing additional payloads.
“The malware installs multilayer obfuscated PHP backdoors to the web server’s file system, downloads new payloads for execution, and schedules recurring tasks to re-infect the host system,” Palo Alto Networks Unit 42 said in a Friday report.
The unusual activity is said to have commenced in mid-December 2021 and targets Asterisk, a widely used software implementation of a private branch exchange (PBX) that runs on the open-source Elastix Unified Communications Server.
Unit 42 said the intrusions share similarities with the INJ3CTOR3 campaign that Israeli cybersecurity firm Check Point disclosed in November 2020, alluding to the possibility that they could be a “resurgence” of the previous attacks.
images from Hacker News