ANY.RUN🚨 𝗝𝗢𝗠𝗔𝗡𝗚𝗬 𝗪𝗲𝗯𝘀𝗵𝗲𝗹𝗹 𝗘𝗻𝗮𝗯𝗹𝗲𝘀 𝗟𝗼𝗻𝗴-𝗧𝗲𝗿𝗺 𝗖𝗼𝗺𝗽𝗿𝗼𝗺𝗶𝘀𝗲 𝗼𝗳 𝗩𝗼𝗜𝗣 𝗜𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲
⚠️ #JOMANGY is an actively used PHP backdoor targeting FreePBX-based VoIP environments with stealth, self-recovery, and VoIP/SIP abuse capabilities.
Once deployed, it establishes persistent access, creates hidden root accounts, and abuses Asterisk/SIP services for toll fraud operations. Since VoIP systems are deeply integrated into enterprise environments, delayed detection can lead to prolonged unauthorized access, financial loss, and operational disruption.
❗️ The malware relies on stealth and defense-evasion techniques designed to survive cleanup attempts and complicate containment for SOC and IR teams once systems are compromised. MITRE ATT&CK techniques observed include:
🔹 𝗣𝗲𝗿𝘀𝗶𝘀𝘁𝗲𝗻𝗰𝗲 via Cron jobs and Unix shell configuration abuse
🔹 𝗗𝗲𝗳𝗲𝗻𝘀𝗲 𝗲𝘃𝗮𝘀𝗶𝗼𝗻 through log clearing, timestomping, and firewall modification
🔹 𝗖𝗿𝗲𝗱𝗲𝗻𝘁𝗶𝗮𝗹 𝗮𝗰𝗰𝗲𝘀𝘀 targeting `/etc/passwd` and `/etc/shadow`
🔹 𝗖𝗼𝗺𝗽𝗲𝘁𝗶𝘁𝗶𝘃𝗲 𝗲𝘃𝗶𝗰𝘁𝗶𝗼𝗻 of other webshells from compromised systems
🔹 𝗩𝗼𝗜𝗣/𝗦𝗜𝗣 𝗮𝗯𝘂𝘀𝗲 supporting toll fraud operations
Execution chain:
Vulnerable FreePBX instance ➡️ Exploit public vulnerabilities ➡️ Bash stager deployment ➡️ JOMANGY webshell deployment ➡️ Multiple persistence mechanisms ➡️ Self-healing loop ➡️ VoIP/SIP abuse
👨💻 Using #ANYRUN Sandbox, investigate JOMANGY behavior in real time, validate detection coverage, and observe webshell deployment, persistence mechanisms, and outbound C2 activity: https://app.any.run/tasks/6c779f0e-e422-4ef5-9bc7-6a799480cc20/?utm_source=mastodon&utm_medium=post&utm_campaign=jomangy_webshell&utm_content=linktoservice&utm_term=280526
Earlier visibility into persistence and webshell behavior helps SOC teams accelerate containment and reduce attacker dwell time. IOCs in the comments 💬
🔍 #ANYRUN TI Lookup reveals two active JOMANGY infrastructure clusters tied to attacker-controlled C2 servers, with activity traced back to April 2026. This visibility helps threat hunters uncover related activity, identify compromised environments, and track infrastructure reuse across campaigns: https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=jomangy_webshell&utm_content=linktotilookup&utm_term=280526#%7B%2522query%2522:%2522destinationIP:%255C%2522160.119.69.4%255C%2522%2520OR%2520destinationIP:%255C%252245.95.147.178%255C%2522%2522,%2522dateRange%2522:180%7D
🚀 Scale your SOC’s triage and response with solutions trusted by 74 Fortune 100 companies and detect business risks earlier. Get an exclusive 10th anniversary deal for your team: https://app.any.run/plans/?utm_source=mastodon&utm_medium=post&utm_campaign=jomangy_webshell&utm_content=linktoplans&utm_term=280526
