Palo Alto Network researchers witnessing over 500,000 samples of malware implanting a web shell in Digium phone software. Pictured: A headset hangs on a cubical wall in Philadelphia. (Photo by William Thomas Cain/Getty Images)

Researchers reported finding a malware group that targeted the Elastix system used in the Digium VoIP PBX system.

In a July 15 blog post, Unit 42 researchers from Palo Alto Networks said the attacker implants a web shell to exfiltrate data by downloading and executing added payloads inside a target’s Digium phone software — a FreePBX module written in PHP.

The researchers said they have witnessed more than 500,000 unique malware samples of this family over the period spanning from late December 2021 till the end of March 2022.

Mike Parkin, senior technical engineer at Vulcan Cyber, said implanting back door web shells on vulnerable systems is nothing new. While the details have evolved over the years, and which specific techniques the attackers used to breach the system and obfuscate their attack may change, Parkin said the overall tactics and procedures remain largely the same.

“What’s somewhat surprising is that nearly half-a-million attacks were noted between December 2021 and March 2022, and this report is being released now in the middle of July,” said Parkin.