INJ3CTOR3 JOMANGY Webshell Threatens FreePBX Security

INJ3CTOR3 JOMANGY Webshell Threatens FreePBX Security

INJ3CTOR3 JOMANGY webshell attacks have emerged as a significant threat to organisations using FreePBX. In the latest campaign, attackers compromise telephony servers to generate fraudulent outbound calls and establish persistent backdoor access. Understanding the risks posed by INJ3CTOR3 and JOMANGY is vital for organisations relying on FreePBX for business communications.

How the INJ3CTOR3 Campaign Targets FreePBX

Advanced Compromise Techniques

Researchers at Cyble Research & Intelligence Labs have linked a sophisticated cyber campaign to the threat actor INJ3CTOR3. Unlike typical ransomware or data theft operations, this campaign focuses on hijacking FreePBX systems to abuse SIP trunks, enabling attackers to make fraudulent outbound calls. These calls can incur direct financial losses for affected organisations and disrupt critical business communications.

JOMANGY Webshell Deployment

The attackers introduce a new PHP webshell family called JOMANGY, alongside the ZenharR malware toolkit. JOMANGY enables remote control of compromised servers, allowing threat actors to execute commands, create accounts, and maintain access. This webshell is distributed in multiple locations on the server, making it difficult to remove all traces during remediation attempts.

Self-Healing Persistence Architecture

INJ3CTOR3 employs a multi-stage Bash infection chain designed to create a robust, self-healing persistence framework. The operation installs six distinct persistence mechanisms, each reinforcing the others. These mechanisms include:

• Cron-based command-and-control polling every one to three minutes
• Shell profile injections activated during reboots and root logins
• Immutable crontab backups protected using chattr +i
• Watchdog processes that relaunch malware components automatically
• Multiple immutable JOMANGY webshell copies scattered across the server
• A self-reinstalling PHP executor embedded in the environment

This approach means that even partial remediation (such as removing a few malicious files or cron jobs) is often ineffective. Any surviving component can quickly restore the full infection within minutes, making cleanup challenging for administrators.

Backdoor Account Creation and Privilege Escalation

Extensive Backdoor Deployment

The campaign also establishes 18 separate backdoor accounts on compromised FreePBX systems. Nine accounts have UID-0 privileges, granting root access, while eight accounts mimic legitimate service users such as “asterisk,” “freepbxuser,” “spamfilter,” and “sangoma.” One account is inserted directly into the FreePBX MySQL database, providing administrative access to the web panel.

These accounts are strategically named to blend into ordinary PBX administrative environments, reducing the likelihood of detection during routine inspections. This extensive access allows attackers to maintain control, escalate privileges, and potentially pivot to other systems within the network.

Why INJ3CTOR3 JOMANGY Webshell Attacks Matter

Financial and Operational Impact

Organisations running Asterisk/FreePBX face significant financial and operational risks from these attacks. Fraudulent calls generated through compromised SIP trunks can result in substantial unauthorised charges. The disruption of telephony services can affect customer support, sales, and internal communications, harming business continuity.

Persistent and Stealthy Threats

The self-healing nature of the malware ecosystem means infections are resilient to standard remediation efforts. Attackers can regain access rapidly, making it difficult for IT teams to restore systems to a secure state. The stealthy deployment of backdoor accounts further complicates detection, especially when malicious users mimic legitimate service accounts.

Potential for Broader Network Compromise

Root-level access and administrative control over telephony infrastructure can provide a foothold for lateral movement within the organisation’s network. Attackers may explore opportunities for additional compromise, data theft, or further disruptions, increasing the stakes for affected organisations.

Recommended Actions for Organisations

Immediate Response Steps

• Conduct a thorough audit of all user accounts on FreePBX servers, focusing on unexpected or suspicious entries.
• Review and clean all cron jobs, shell profiles, and scheduled tasks for signs of malicious persistence mechanisms.
• Check for immutable files (using chattr +i) and remove or restore permissions as needed.
• Inspect the FreePBX MySQL database for unauthorised administrative accounts.
• Search for multiple copies of PHP webshells (like JOMANGY) scattered across the server.

Ongoing Security Practices

• Apply latest security updates and patches to FreePBX and underlying operating systems.
• Restrict access to SIP trunks and administrative panels using strong authentication and network segmentation.
• Implement regular monitoring and logging of telephony activity to detect unusual outbound calls.
• Use file integrity monitoring tools to spot changes to critical system files and configurations.
• Educate IT staff about current attack techniques and the importance of multi-layered defence.

Incident Recovery and Prevention

If signs of compromise are detected, organisations should consider rebuilding affected systems from trusted backups. Change all passwords and rotate authentication credentials. Engage with cybersecurity professionals to conduct forensic investigations and ensure all persistence mechanisms are eradicated. Proactive vulnerability assessments and penetration testing can help identify weaknesses before attackers exploit them.

Organisations using FreePBX should remain vigilant, as INJ3CTOR3 JOMANGY webshell attacks demonstrate the evolving sophistication of threats targeting critical business infrastructure.

Originally reported by thecyberexpress.com.