{
	"id": "b00583ff-7716-4bfe-a13e-8a028ff56bbc",
	"created_at": "2026-04-06T00:21:31.676703Z",
	"updated_at": "2026-04-10T13:11:25.88746Z",
	"deleted_at": null,
	"sha1_hash": "c1d19cd19ffcc227d32ab17304742d0a5a89d823",
	"title": "Digium Phones Under Attack: Insight Into the Web Shell Implant",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 352773,
	"plain_text": "Digium Phones Under Attack: Insight Into the Web Shell Implant\r\nBy Lee Wei, Yang Ji, Muhammad Umer Khan, Wenjun Hu\r\nPublished: 2022-07-15 · Archived: 2026-04-05 12:44:30 UTC\r\nExecutive Summary\r\nInstalling a web shell on a web server is a common approach malware authors take to launch exploits or run\r\ncommands remotely. In November 2020, the INJ3CTOR3 operation targeted the Sangoma PBX, a popular VoIP\r\nPBX system, by installing a web shell on its web server. Recently, Unit 42 observed another operation that targets\r\nthe Elastix system used in Digium phones. The attacker implants a web shell to exfiltrate data by downloading and\r\nexecuting additional payloads inside the target's Digium phone software (a FreePBX module written in PHP). In\r\nterms of the timeline, the web shell appears to be correlated to the remote code execution (RCE) vulnerability\r\nCVE-2021-45461 in the Rest Phone Apps (restapps) module.\r\nAs of this writing, we have witnessed more than 500,000 unique malware samples of this family over the period\r\nspanning from late December 2021 till the end of March 2022. The malware installs multilayer obfuscated PHP\r\nbackdoors to the web server's file system, downloads new payloads for execution and schedules recurring tasks to\r\nre-infect the host system. Moreover, the malware implants a random junk string to each malware download in an\r\nattempt to evade signature defenses based on indicators of compromise (IoCs).\r\nPalo Alto Networks Next-Generation Firewall customers are protected from this malware with the WildFire and\r\nThreat Prevention security subscriptions.\r\nBackground on Malicious Activity Targeting Digium’s Asterisk\r\nRecently, the WildFire team has observed a high volume of malicious traffic that seems to be originating from the\r\nsame family of samples. Specifically, we witnessed more than 500,000 unique samples over the period spanning\r\nfrom mid-December 2021 till the end of March 2022. This unusual activity targets Digium's widely adopted open\r\nsource Asterisk communication software for VoIP phone devices.\r\nhttps://unit42.paloaltonetworks.com/digium-phones-web-shell/\r\nPage 1 of 7\n\nFigure 1. IP PBX phone systems rely on SIP Trunking for phone connectivity. Source:\r\nhttps://www.nextiva.com/blog/what-is-ip-pbx.html\r\nElastix is the largest open source software solution for unified communications server software that brings\r\ntogether Internet Protocol (IP) Private Branch Exchange (PBX), email, IM, faxing and collaboration functionality.\r\nIt has a web interface and includes capabilities such as call center software with predictive dialing. Its\r\nfunctionality is based on open source projects including Asterisk, FreePBX, HylaFAX, Openfire and Postfix.\r\nFreePBX is the most widely used open source IP PBX software in the world, offering organizations an all-in-one\r\nsolution. It is freely available to download and install, complete with all the basic elements needed to build a\r\nphone system. It is sponsored and developed by Sangoma and a robust global community. It features an intuitive\r\nmodular graphical user interface (GUI), harnessing the power of Asterisk, making it much easier to deploy and\r\nuse. digium_phones is a FreePBX module written in PHP.\r\nThe malicious activity we recently observed bears similarity to the INJ3CTOR3 report released by Check Point\r\nResearch two years ago, and could potentially be a resurgence of this attack campaign. A report was posted on the\r\nFreePBX community forum in December 2021, followed by another report in January 2022. These reports are\r\nconsistent with the proposition that this is indeed a resurgence of the previous campaign. For instance, the eight\r\ndefault available commands below were shown in the INJ3CTOR3 report (dated Nov. 5, 2020) in Figure 12, \"The\r\nattacker’s web panel.\" These are identical to those listed in the FreePBX community forum thread \"K.php - a\r\nRestApps malicious script,\" post 21/74 (dated Jan. 12, 2022), by Denis Soloviov and others.\r\n1. ls -la\r\n2. ps -aux --forest\r\n3. asterisk -rx 'core show channels'\r\n4. asterisk -rx 'sip show peers'\r\n5. cat /etc/elastix.conf\r\n6. cat /etc/asterisk/sip_additional.conf\r\n7. cat /etc/asterisk/extensions_custom.conf\r\n8. cat /etc/amportal.conf\r\nFurther research shows that our finding could be a consequence of the official announcement of a known security\r\nissue, CVE-2021-45461 Potential Rest Phone Apps RCE. This vulnerability lies in the Rest Phone Apps (restapps)\r\nmodule, allowing for a URL variable to potentially get passed, resulting in a remote code execution (RCE)\r\nscenario.\r\nIn this blog, we illuminate the inner workings of the initial dropper shell script, which installs the PHP web shell\r\nbackdoor and attempts to maintain the foothold inside the target's environment.\r\nAttack Vector\r\nhttps://unit42.paloaltonetworks.com/digium-phones-web-shell/\r\nPage 2 of 7\n\nFigure 2. Pie chart depicting the clustering of the sample set into two main groups (Group 1 and\r\nGroup 2). Group 2 is more dominant.\r\nWe were able to broadly categorize our original sample set into two main groups (Group 1 and 2), with one of the\r\ngroups (Group 2) being further subdivided into two subgroups (A and B). We believe that Group 1 and Group 2\r\nrepresent different versions of the attack script (Group 2 is the later version). The subgroups A and B indicate two\r\ndifferent clusters of targets.\r\nGroup\r\n1 2\r\nHeading ZenharPanel Ask Master\r\nSubmit button label ZenharR Ask\r\nTable 1. Table depicting the characteristics of two main groups (Group 1 and Group 2) in terms of Heading and\r\nSubmit button label.\r\nhttps://unit42.paloaltonetworks.com/digium-phones-web-shell/\r\nPage 3 of 7\n\nFigure 3a. Code outline of initial dropper script (variant 1).\r\nFigure 3b. Code outline of initial dropper script (variant 2).\r\nThe initial dropper scripts are generally small in terms of filesize:\r\n12,750-byte payload fetched from hxxp[://]37[.]49[.]230[.]74/z/wr[.]php\r\n17,215-byte payload fetched from hxxp[://]37[.]49[.]230[.]74/k[.]php\r\nWe would typically expect this from a shell script embedding a PHP web shell payload. There are always 14 lines\r\nof code, wrapped in multiple layers of Base64 encoding to hide certain key areas, and one of the Base64-encoded\r\npayloads was duplicated.\r\nFigure 4. Overview of initial dropper script.\r\nInitial Dropper\r\nThe initial dropper is a shell script with two main objectives, namely:\r\n1. Install the obfuscated PHP backdoor in multiple locations in the file system.\r\n2. Maintain access by:\r\n1. Creating several root user accounts.\r\n2. Setting up a scheduled task to re-infect the host system.\r\nThis dropper also tries to blend into the existing environment by spoofing the timestamp of the installed PHP\r\nbackdoor file to that of a known file already on the system. Furthermore, the dropper belonging to variant 1, as\r\nhttps://unit42.paloaltonetworks.com/digium-phones-web-shell/\r\nPage 4 of 7\n\ndepicted in Figure 3a, fetches and executes a remote script from the attacker's infrastructure: IPv4 address\r\n37[.]49[.]230[.]74.\r\nThis IPv4 address is geographically located in the Netherlands. Extracting its past DNS records reveals\r\nassociation to mostly adult-themed Russian domains, such as:\r\n1. campusteen[.]ru\r\n2. caramelgirl[.]ru\r\n3. cumixface[.]ru\r\n4. cutiebooty[.]ru\r\n5. gentlepus[.]ru\r\n6. lopornix[.]ru\r\n7. megabobox[.]ru\r\n8. sledporn[.]ru\r\n9. Super-teen[.]ru\r\n10. sweetassma[.]ru\r\nAt the time of writing, we verified that parts of the attacker infrastructure remain online and are actively serving\r\nmalicious payloads, particularly:\r\nhxxp[://]37[.]49[.]230[.]74/k[.]php\r\nhxxp[://]37[.]49[.]230[.]74/z/wr[.]php\r\nThe following were inactive at that point in time:\r\nhxxp[://]37[.]49[.]230[.]74/z/post/noroot[.]php\r\nhxxp[://]37[.]49[.]230[.]74/z/post/root[.]php\r\nWeb Shell\r\nThe PHP web shell contains random junk comments, in an attempt to evade signature-based defenses.\r\nAdditionally, it is wrapped in multiple layers of Base64 encoding, in order to mask its true intent. It is able to\r\nhandle the following parameters in the incoming web request:\r\nmd5\r\nadmin\r\ncmd\r\ncall\r\nThe web shell is protected by a hardcoded \"MD5 authentication hash,\" which seems to be uniquely mapped to the\r\nvictim's public IPv4 address.\r\nThe user-supplied md5 parameter in the incoming web request is required to match this authentication hash before\r\nthe login is successful and the session is established, such that the user can interact with the web shell.\r\nThe web shell is also able to accept an admin parameter, which can either be the value Elastic or Freepbx. Then\r\nthe respective Administrator session will be created.\r\nhttps://unit42.paloaltonetworks.com/digium-phones-web-shell/\r\nPage 5 of 7\n\nBesides supporting arbitrary commands via the cmd request parameter, the following built-in default commands\r\nare included:\r\n1. ls -la\r\n2. ps -aux --forest\r\n3. asterisk -rx 'core show channels'\r\n4. asterisk -rx 'sip show peers'\r\n5. cat /etc/elastix.conf\r\n6. cat /etc/asterisk/sip_additional.conf\r\n7. cat /etc/asterisk/extensions_custom.conf\r\n8. cat /etc/amportal.conf\r\nLastly, there is a call HTTP request parameter, which starts a call from the Asterisk command line interface (CLI):\r\nasterisk -rx \"channel originate Local/'\u003cprs\u003e\u003cnum\u003e@\u003ccontext\u003e application wait \u003ctime\u003e'\"\r\nConfiguration File\r\nAnother Base64-encoded payload replaces the .htaccess configuration file, in order to enable the behavior \"follow\r\nsymbolic links,\" as well as render config.php as the default page. .htaccess is a configuration file by an Apache\r\nweb server, to specify configuration options on a per-directory basis. It contains one or more configuration\r\ndirectives, which apply to that certain directory, and all subdirectories thereof.\r\nPersistence Mechanism\r\nThe sample attempts to achieve persistence via the following means:\r\nCreation of root user accounts.\r\nNamed sugarmaint, with password uenQjcP3Il/zE\r\nNamed supports, with password uenQjcP3Il/zE\r\nAdding a scheduled task entry.\r\nRuns every minute.\r\nFetches a remote copy of the script from hxxp[://]37[.]49[.]230[.]74/k[.]php\r\nExecutes it in the shell.\r\nConclusion\r\nThe strategy of implanting web shells in vulnerable servers is not a new tactic for malicious actors. The only way\r\nto catch advanced intrusions is a defense-in-depth strategy. Only by orchestrating multiple security appliances and\r\napplications in a single pane can defenders detect these attacks.\r\nAside from the numerous protections offered across the Palo Alto Networks product suite, WildFire, Advanced\r\nURL Filtering and Threat Prevention provide coverage for this family of samples. In particular, Palo Alto\r\nNetworks customers receive protections in the following ways:\r\nMalware sandbox detection through WildFire (Next-Generation Firewall security subscription),\r\nhttps://unit42.paloaltonetworks.com/digium-phones-web-shell/\r\nPage 6 of 7\n\nAdvanced URL Filtering categorizes those source URLs as serving malicious payloads, and would block\r\nthe access attempts,\r\nAn array of defenses including IPS and AppID in Threat Prevention (Next-Generation Firewall security\r\nsubscription).\r\nIndicators of Compromise\r\nRemote Public URLs\r\nhxxp[://]37[.]49[.]230[.]74/k[.]php\r\nhxxp[://]37[.]49[.]230[.]74/z/wr[.]php\r\nhxxp[://]37[.]49[.]230[.]74/z/post/noroot[.]php\r\nhxxp[://]37[.]49[.]230[.]74/z/post/root[.]php\r\nOriginal Shell Scripts - SHA256 hashes\r\n000a3688455edacc1dac17539797dc98f055091898a65cd520fb8459c1bc2a2a\r\n0012342749e3bae85a9269a93661e2eb00437c71b2bca2eaca458147f9fe8471\r\n001305bd3be538e50014d42f02dee55056b73a1df770e2605aded8a970091f2f\r\n0050232e04880fbe1d0c670b711b66bb46c32febdc9513074612c90f1f24631b\r\n0059d7b736dc1e61bd5b22fff601579fbc8a12b00981fdd34fd13f0fb44688b0\r\n0088cba19eec78daee0310854c4bf8f7efc64b89bdc7517f0a1c7ebbba673f72\r\nLocal Filepaths\r\n/var/www/html/admin/assets/ajax.php\r\n/var/www/html/admin/assets/config.php\r\n/var/www/html/admin/assets/js/config.php\r\n/var/www/html/admin/modules/core/ajax.php\r\n/var/www/html/digium_phones/ajax.php\r\n/var/www/html/rest_phones/ajax.php\r\nUnique Strings\r\nZenharPanel\r\nZenharR\r\nAsk Master\r\nSource: https://unit42.paloaltonetworks.com/digium-phones-web-shell/\r\nhttps://unit42.paloaltonetworks.com/digium-phones-web-shell/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/digium-phones-web-shell/"
	],
	"report_names": [
		"digium-phones-web-shell"
	],
	"threat_actors": [
		{
			"id": "07d5d8cf-7a15-47de-a1b7-a3333f064290",
			"created_at": "2026-02-07T02:00:03.660294Z",
			"updated_at": "2026-04-10T02:00:03.959064Z",
			"deleted_at": null,
			"main_name": "INJ3CTOR3",
			"aliases": [],
			"source_name": "MISPGALAXY:INJ3CTOR3",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434891,
	"ts_updated_at": 1775826685,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c1d19cd19ffcc227d32ab17304742d0a5a89d823.pdf",
		"text": "https://archive.orkl.eu/c1d19cd19ffcc227d32ab17304742d0a5a89d823.txt",
		"img": "https://archive.orkl.eu/c1d19cd19ffcc227d32ab17304742d0a5a89d823.jpg"
	}
}