Full Report
FortiGuard Labs analyzes EncystPHP, a stealthy web shell exploiting CVE-2025-64328 in FreePBX environments to enable remote command execution, persistence, and long-term system compromise
Analysis Summary
# Tool/Technique: EncystPHP
## Overview
EncystPHP is a stealthy web shell designed to establish remote command execution, persistence, and long-term administrative control within compromised FreePBX environments, leveraging the vulnerability tracked as CVE-2025-64328.
## Technical Details
- Type: Malware (Web Shell)
- Platform: Linux (FreePBX environments)
- Capabilities: Remote Command Execution (RCE), system reconnaissance, persistence via cron jobs, system account management (creation/deletion/password reset), deletion of competing malware/logs, and privilege escalation.
- First Seen: Early December (2025, based on context of the vulnerability date)
## MITRE ATT&CK Mapping
- **Initial Access** (TA0001)
- T1190 - Exploit Public-Facing Application
- **Execution** (TA0002)
- T1059.004 - Command and Scripting Interpreter: Unix Shell
- **Persistence** (TA0003)
- T1053.003 - Scheduled Task/Job: Cron
- T1505.003 - Server Software Component: Web Shell
- **Privilege Escalation** (TA0004)
- T1068 - Exploitation for Privilege Escalation
- T1136.001 - Create Account: Local Account
- **Credential Access** (TA0006)
- T1003 - OS Credential Dumping
- **Defense Evasion** (TA0005)
- T1070.004 - Indicator Removal on Host: File Deletion
- T1222.002 - File and Directory Permissions Modification: Linux
- T1036.005 - Masquerading: Match Legitimate Name or Location
- T1562.001 - Impair Defenses: Disable or Modify Tools
- **Command and Control** (TA0011)
- T1105 - Ingress Tool Transfer
- T1071.001 - Application Layer Protocol: Web Protocols
- **Lateral Movement** (TA0008)
- T1021.004 - Remote Services: SSH
- **Impact** (TA0040)
- T1496 - Resource Hijacking
## Functionality
### Core Capabilities
- **Exploitation:** Deploys via exploitation of FreePBX Endpoint Manager (CVE-2025-64328), a post-authentication command injection vulnerability.
- **System Disruption:** Deletes cron job entries and attempts to erase evidence related to older web shells or malicious files based on specific strings (e.g., "Badr," "pastebin").
- **Defense Impairment:** Modifies file permissions of core files (`ajax.php`, `model.php`) to 000 to block access and disrupt inspection, and disables error reporting (implied by "Impair Defenses" T1562.001).
### Advanced Features
- **Persistence Establishment:** Creates a new root-level user (`newfpbx`) and resets passwords for multiple existing user accounts to maintain access.
- **Reconnaissance:** Collects database configuration information from `/etc/freepbx.conf`.
- **Self-Cleanup/Competition Removal:** Scans for and deletes PHP files associated with other web shells identified by common decoding functions, packet headers, or shell execution functions.
- **SSH Exposure:** Injects an attacker-controlled SSH public key and forces the exposure of port 22 for alternative access.
- **Masquerading:** The core web shell may be written into legitimate FreePBX file paths (e.g., `ajax.php`, `config.php`) while forging timestamps.
## Indicators of Compromise
- File Hashes: SHA256 (Based on analysis flow): `3e711e5db39261df759f76da6893f3ca71a4704b9ee2b26b8c7` (Associated with the dropper/web shell file 'c')
- File Names: `c` (initial dropper), `k.php` (redirected dropper)
- Registry Keys: N/A (Linux system)
- Network Indicators:
- Initial Download IP: 45[.]234[.]176[.]202
- Associated Domain: crm[.]razatelefonia[.]pro
- Behavioral Indicators:
- Modification of file permissions on critical PHP files to 000.
- Execution of `useradd` command to create the `newfpbx` user with UID 0.
- Reading `/etc/freepbx.conf`.
- Deleting existing cron job entries.
## Associated Threat Actors
- INJ3CTOR3 (Known since 2020; previously targeted CVE-2019-19006 and CVE-2021-45461 in Elastix).
## Detection Methods
- **Signature-based Detection:** Signatures against the known file hash of the dropper/web shell file. Signatures looking for strings used for deletion (e.g., "Badr," "yokyok," "bm2cjjnRXac1WW3KT7k6MKTR").
- **Behavioral Detection:** Monitoring for post-authentication login attempts to the FreePBX admin interface originating from unusual IPs, followed by attempts to write/modify PHP files, execute system commands (`useradd`, `crontab -e`), or access `/etc/freepbx.conf`.
- **YARA rules if available:** (Not provided in text, but YARA rules targeting PHP obfuscation/shell command execution within web files would be applicable).
## Mitigation Strategies
- **Prevention:** Immediately patch FreePBX Endpoint Manager to a version beyond v17.0.3 to address **CVE-2025-64328**. Restrict administrative interface access via firewall rules where possible.
- **Hardening Recommendations:**
1. Review and remove the created `newfpbx` user.
2. Audit cron jobs for recently added unusual entries.
3. Check file permissions on `ajax.php` and `model.php`; they should not be set to 000.
4. Audit `/etc/freepbx.conf` for unauthorized access/read activities.
5. Ensure SSH port (22) is restricted or not exposed if not strictly necessary.
## Related Tools/Techniques
- Older web shells potentially associated with INJ3CTOR3 that utilize similar PHP techniques or strings (implied by the deletion logic).
- General purpose PHP web shells that rely on Base64 decoding for command execution.