Hackers compromised the Elastix VoIP Systems to deliver web shells

Hackers Compromised Device Elastix VoIP Systems Web Shells RCE PHP Backdoor

A malicious threat campaign conducted by an identified group of hackers has been targeting the Elastix VoIP telephony servers and systems to deploy multiple PHP web shells. Unfortunately, there are already more than half a million malware samples that the researchers uncovered in just three months.

Based on reports, cybersecurity experts claim that the threat actors are abusing a Remote Code Execution (RCE) flaw known as CVE-2021-45461. This vulnerability resides in the Elastix VoIP systems utilised by its operators in the Digium devices module for FreePBX.

Other researchers also believed hackers exploited the RCE flaw as early as December last year.

The malicious campaign aimed to drop a PHP web shell to operate arbitrary commands on infected communications servers. Furthermore, the threat actors conducting this attack have launched over half a million unique malware strains between December last year and March this year.

This latest threat campaign is an ongoing threat and overlaps some similarities with another attack a couple of years ago. Both attack operation has systematically abused the SIP servers from different manufacturers.


A couple of adversaries used web shells to attack the Elastix VoIP.


Another researcher has observed two attack groups that use unique initial exploitation scripts to deploy a miniature shell script against Elastix VoIP. The script can install the PHP backdoor on the targeted device and design a root user account.

The shell script can try to adapt and blend into the current environment by posing a fake timestamp of the installed PHP backdoor file. Additionally, the script already knows the file on the infected system.

Researchers were then able to trace an IP address from the threat actors. One of the addresses is in the Netherlands, but the DNS records revealed links to several Russian adult websites.

In addition, the scheduled task operates every minute to acquire a PHP web shell. The web shell is base64 encoded and manages unique parameters in incoming web requests.

The researchers have given details about the strategies used by the threat actors for users to avoid potential infections. Furthermore, organisations are recommended to take advantage of the given IOCs that reveal the local file pathways of the malware, public URLs, strings, and shell scripts.

About the author

Leave a Reply