Imagine your critical communication infrastructure silently hijacked, routing calls at your expense, all while the attackers remain virtually undetectable. This isn’t a hypothetical scenario; it’s the reality for many organizations running internet-exposed FreePBX systems. A sophisticated threat actor group, INJ3CTOR3, has unleashed a cunning PHP webshell named JOMANGY, engineered with an unprecedented six layers of persistence to maintain an iron grip on compromised servers. This campaign highlights a significant and evolving threat to VoIP systems globally.

The INJ3CTOR3 Campaign and JOMANGY Webshell

The INJ3CTOR3 group is systematically targeting FreePBX installations, specifically those exposed to the internet. Their objective is clear: to establish long-term access and leverage these compromised systems, primarily for routing calls at the victim’s expense – a scheme known as toll fraud. The cornerstone of their operation is the JOMANGY PHP webshell. Unlike typical webshells that might rely on one or two methods of persistence, JOMANGY integrates six distinct mechanisms, making it exceptionally resilient to detection and removal.

Understanding Six-Layer Persistence

The innovation behind JOMANGY lies in its multi-layered approach to persistence. Each layer acts as a fallback, ensuring that even if one method of access is discovered and removed, several others remain operational, allowing the attackers to regain control. While specific details of all six layers are proprietary to the security research uncovering this, the general principle involves a combination of:

• Webserver Configuration Backdoors: Modifying configuration files (e.g., Apache, Nginx) to load malicious PHP scripts or directives.
• Cron Jobs: Scheduling regular tasks that re-establish access, download new payloads, or run malicious commands.
• System Service Modifications: Altering legitimate system services to execute attacker-controlled scripts upon boot or at regular intervals.
• Backdoored Legitimate Files: Injecting malicious code into existing FreePBX core files or extensions, making detection difficult.
• Invisible Files/Folders: Creating hidden directories and files that house critical components of the webshell, often disguised as legitimate system artifacts.
• Remote Access Tools: Installing secondary remote access tools (RATs) to ensure access even if the webshell itself is discovered.

The Impact on FreePBX Users

For organizations utilizing FreePBX, the implications of such a sophisticated attack are severe. Beyond the immediate financial burden of toll fraud, compromised systems can lead to:

• Data Exfiltration: Sensitive call detail records (CDRs), user information, and other system data could be stolen.
• Reputational Damage: Being associated with fraudulent activity can harm an organization’s standing.
• Service Disruption: Malicious activity can degrade system performance or lead to outages.
• Further Compromises: A compromised FreePBX system can serve as a pivot point for attackers to gain access to other internal networks.

Remediation Actions and Prevention

Securing FreePBX systems against threats like JOMANGY requires a proactive and multi-faceted approach. There are no specific CVEs associated with the JOMANGY webshell itself, as it’s a malware payload rather than a vulnerability in FreePBX software. However, the initial compromise likely exploits known or zero-day vulnerabilities in FreePBX or its associated components. Effective remediation and prevention strategies include:

• Patch Management: Regularly apply all security updates and patches for FreePBX, its underlying operating system, and all installed modules. Many attacks leverage CVE-2022-38446 and other vulnerabilities in older versions.
• Principle of Least Privilege: Ensure that the FreePBX system and its services run with the minimum necessary permissions.
• Strong Authentication: Enforce complex passwords and multi-factor authentication (MFA) for all administrative interfaces.
• Access Control: Restrict administrative access to FreePBX dashboards and SSH logins to trusted IP addresses only.
• Network Segmentation: Isolate FreePBX systems from critical internal networks.
• Intrusion Detection/Prevention Systems (IDS/IPS): Deploy IDS/IPS solutions to monitor for suspicious network traffic and known attack patterns.
• Regular Backups: Maintain regular, offsite backups of your FreePBX configuration and data to facilitate recovery in case of a breach.
• File Integrity Monitoring (FIM): Implement FIM to detect unauthorized changes to critical system files, configuration files, and webshell locations.
• Security Audits: Conduct regular security audits and penetration tests of your FreePBX environment.

Tools for Detection and Mitigation

Leveraging specialized tools can significantly enhance your ability to detect and mitigate threats targeting FreePBX systems:

Tool Name	Purpose	Link
ModSecurity WAF	Web Application Firewall for detecting and blocking webshell uploads and malicious requests.	https://www.modsecurity.org/
ClamAV	Open-source antivirus engine for scanning PHP files for known webshell signatures.	https://www.clamav.net/
OSSEC HIDS	Host-based Intrusion Detection System with FIM capabilities to alert on file changes.	https://www.ossec.net/
FreePBX Security Module	Built-in security features and reports for FreePBX.	(Accessed via FreePBX admin GUI)
Rkhunter / Chkrootkit	Rootkit and backdoor detection tools for Linux systems.	http://rkhunter.sourceforge.net/ / http://www.chkrootkit.org/

Conclusion

The INJ3CTOR3 campaign and their JOMANGY webshell serve as a stark reminder of the sophisticated threats targeting VoIP infrastructure. The use of six-layer persistence underscores the attackers’ determination to maintain access, making detection and eradication challenging. FreePBX administrators must prioritize robust security practices, including rigorous patching, strong access controls, and continuous monitoring, to defend against these persistent and financially driven attacks. Remaining vigilant and proactive is paramount to safeguarding critical communication systems.