A malware dubbed CDRThief is targeting voice over IP (VoIP) softswitches inside the networks of large telecom carriers.
According to ESET researchers, the malware was custom-developed to attack the Linknat VOS2009 and VOS3000 softswitches, which run on standard Linux servers. The code is capable of retrieving private call metadata, including call-detail records (CDRs), which log the call times, duration, completion status, source number and destination number of phone calls flowing through a carrier’s network.
“We can say that the malware’s primary focus is on collecting data from the database,” said ESET researcher Anton Cherepanov, in a blog post issued on Thursday. “Unlike other backdoors, Linux/CDRThief does not have support for shell command execution or exfiltrating specific files from the compromised softswitch’s disk. However, these functions could be introduced in an updated version.”
To steal the metadata, the malware queries the internal MySQL databases used by the softswitches. Data to be exfiltrated from the e_syslog, e_gatewaymapping, and e_cdr tables is compressed and then encrypted with a hardcoded RSA-1024 public key before exfiltration. The malware also encrypts any suspicious-looking strings to hide malicious functionality from basic static analysis, as well as the password from the configuration file. Only the malware authors or operators can decrypt the exfiltrated data.
“The attackers demonstrate deep knowledge of the targeted platform, since the algorithm and encryption keys used are not documented,” Cherepanov said.
Also, once the malware is started, it attempts to launch a legitimate file present on the Linknat platform, further indicating familiar knowledge of the platform on the part of the attackers.
“This suggests that the malicious binary might somehow be inserted into a regular boot chain of the platform in order to achieve persistence and possibly masquerade as a component of the Linknat softswitch software,” added Cherepanov.
The malware can be deployed to any location on the disk under any file name – but it’s unclear what the initial infection vector is, according to the analysis. Brute-forcing credentials or exploiting known vulnerabilities are both possibilities.
“It’s hard to know the ultimate goal of attackers who use this malware,” said Cherepanov, who noted that the platforms are used in major Asian telco networks. “However, since it exfiltrates sensitive information, including call metadata, it seems reasonable to assume that the malware is used for cyberespionage.”
However, he speculated that another possible goal for attackers would be VoIP fraud. This typically occurs when hackers compromise business’s VoIP system and proceed to make calls to premium numbers, which can charge anywhere from 99 cents to $19.99 per minute. Because of the nature of VoIP, hundreds of calls can be made simultaneously. The hackers gain a cut of the charges in return for breaking into the VoIP systems.
“Since the attackers obtain information about the activity of VoIP softswitches and their gateways, this information could be used to perform international revenue-share fraud (IRSF),” the researcher explained.
In any event, the malware is notable for its uniqueness: “As an entirely new Linux malware, it’s a rarity and caught our attention,” said Cherepanov. “What was even more interesting was that it quickly became apparent that this malware targeted a specific Linux VoIP platform.”
On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Register today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.