Every now and then, cyber criminals misuse “good” software in order to do bad things, and the latest instance of this modus operandi has been spotted by NSS Labs researchers.
SIPVicious – the popular bundle of tools designed for auditing SIP (Session Initiation Protocol) based VoIP systems – is currently being used by crooks that aim to compromise and likely use vulnerable VoIP servers for placing unauthorized calls to premium rate numbers or for vishing (voice phishing) scams.
It all starts with the user visiting a compromised legitimate site injected with a malicious iFrame, which redirects him to a site hosting the Black Hole exploit kit.
The exploit kit does its thing – it searches for vulnerabilities present in the visitor’s system and, if it finds one, downloads a Trojan (jqs.exe) and executes it on the system.
After contacting its C&C server and downloading instructions, the Trojan tries to connect to a .cc domain, from which it downloads the SIPVicious toolset, a Python interpreter and an unraring tool.
“The Trojan invokes Microsoft installer and installs Python silently in the background,” share the researchers. “It also unrars the SIPVicious toolset.”
Under orders from the C&C server, SIPVicious is used to scan for SIP devices inside the network, which are then hit by a bruteforce attack. If the attack is successful, the Trojan attempts to register extensions on the device, which will be then misused by the crooks.