New CDRThief malware targets VoIP softswitches to steal call detail records

Malware targets only two very specific softswitches (software switches): Linknat VOS2009 and VOS3000.
Written by Catalin Cimpanu, Contributor
Image: Media_Visuals

Security researchers from Slovak cyber-security firm ESET said today they discovered a very rare piece of Linux malware that targets Voice-over-IP (VoIP) telephony switches with the end goal of stealing call details metadata.

For the time being, researchers said they merely spotted the malware and analyzed its behavior, but aren't 100% sure who developed it, and for what purpose.

Considered theories include that the malware, which they named CDRThief, could be used for cyber-espionage or for a type of telephony fraud scheme known as International Revenue Share Fraud (IRSF).

How CDRThief works

But regardless of the end goal, the general conclusion from the ESET team was that CDRThief was developed by a threat actor with deep knowledge of the VoIP landscape.

For starters, the malware only targets two VoIP softswitches running on Linux servers. VoIP softswitches are software programs that run on regular servers and are designed to route calls using software, rather than special hardware.

Second, CDRThief only targets two softswitches programs, namely the VOS2009 and VOS3000 systems from Chinese company Linknat.

"At the time of writing we do not know how the malware is deployed onto compromised devices," Anton Cherepanov, one of ESET's top malware hunters, wrote in an analysis today.

"We speculate that attackers might obtain access to the device using a brute-force attack or by exploiting a vulnerability. Such vulnerabilities in VOS2009/VOS3000 have been reported publicly in the past," Cherepanov added.

However, once the malware has a foothold on a Linux server running Linknat VOS2009 or VOS3000, the malware searches for the Linknat configuration files and extracts credentials for the built-in MySQL database, where the softswitch stores call detail records (CDR, aka VoIP calls metadata).

"Interestingly, the password from the configuration file is stored encrypted," Cherepanov pointed out.

"However, Linux/CDRThief malware is still able to read and decrypt it. Thus, the attackers demonstrate deep knowledge of the targeted platform, since the algorithm and encryption keys used are not documented as far as we can tell. It means that the attackers had to reverse engineer platform binaries or otherwise obtain information about the AES encryption algorithm and key used in the Linknat code."

After this step, Cherepanov says the malware connects to the MySQL database and runs SQL queries to gather CDR metadata, which is later uploaded to a remote server.

Attacks on telecoms not a rare sight

The ESET researcher said CDRThief is an extremely narrow piece of malware, built only for stealing VoIP call metadata, and nothing else. The malware doesn't run shell commands or search and steals other files, at least in its current forms, meaning its creators and the people behind CDRThief attacks knew exactly what they wanted from each of their intrusions.

Furthermore, VoIP softswitches aren't your regular type of software. They are usually installed on the networks of large telecommunications providers.

Over the past few years, incidents where hackers (usually state-sponsored groups) have targeted telecoms to steal information on traffic and voice calls have increased. This includes:

  • Operation Soft Cell: Chinese-linked hackers breached 10 telecoms and stole voice call metadata.
  • The A1 Telekom incident: A whistleblower revealed that Chinese hackers breached the internal network of Austria's largest telecom provider and queried internal systems for "location, phone numbers and other customer data for certain private A1 customers."
  • MessageTap malware: FireEye said it discovered malware specifically designed to Short Message Service Center (SMSC) servers, on a telco's network, and steal data about SMS traffic.

The world's most famous and dangerous APT (state-developed) malware

Editorial standards