CDRThief Malware Targets VoIP Gear in Carrier Networks

CDRThief Malware Targets VoIP Gear in Carrier Networks

The Linux-targeted code can steal phone-call metadata, likely in spy campaigns or for use in VoIP fraud.

A malware dubbed CDRThief is targeting voice over IP (VoIP) softswitches inside the networks of large telecom carriers.

According to ESET researchers, the malware was custom-developed to attack the Linknat VOS2009 and VOS3000 softswitches, which run on standard Linux servers. The code is capable of retrieving private call metadata, including call-detail records (CDRs), which log the call times, duration, completion status, source number and destination number of phone calls flowing through a carrier’s network.

Click to Register

“We can say that the malware’s primary focus is on collecting data from the database,” said ESET researcher Anton Cherepanov, in a blog post issued on Thursday. “Unlike other backdoors, Linux/CDRThief does not have support for shell command execution or exfiltrating specific files from the compromised softswitch’s disk. However, these functions could be introduced in an updated version.”

To steal the metadata, the malware queries the internal MySQL databases used by the softswitches. Data to be exfiltrated from the e_syslog, e_gatewaymapping, and e_cdr tables is compressed and then encrypted with a hardcoded RSA-1024 public key before exfiltration. The malware also encrypts any suspicious-looking strings to hide malicious functionality from basic static analysis, as well as the password from the configuration file. Only the malware authors or operators can decrypt the exfiltrated data.

“The attackers demonstrate deep knowledge of the targeted platform, since the algorithm and encryption keys used are not documented,” Cherepanov said.

Also, once the malware is started, it attempts to launch a legitimate file present on the Linknat platform, further indicating familiar knowledge of the platform on the part of the attackers.

“This suggests that the malicious binary might somehow be inserted into a regular boot chain of the platform in order to achieve persistence and possibly masquerade as a component of the Linknat softswitch software,” added Cherepanov.

The malware can be deployed to any location on the disk under any file name – but it’s unclear what the initial infection vector is, according to the analysis. Brute-forcing credentials or exploiting known vulnerabilities are both possibilities.

“It’s hard to know the ultimate goal of attackers who use this malware,” said Cherepanov, who noted that the platforms are used in major Asian telco networks. “However, since it exfiltrates sensitive information, including call metadata, it seems reasonable to assume that the malware is used for cyberespionage.”

However, he speculated that another possible goal for attackers would be VoIP fraud. This typically occurs when hackers compromise business’s VoIP system and proceed to make calls to premium numbers, which can charge anywhere from 99 cents to $19.99 per minute. Because of the nature of VoIP, hundreds of calls can be made simultaneously. The hackers gain a cut of the charges in return for breaking into the VoIP systems.

“Since the attackers obtain information about the activity of VoIP softswitches and their gateways, this information could be used to perform international revenue-share fraud (IRSF),” the researcher explained.

In any event, the malware is notable for its uniqueness: “As an entirely new Linux malware, it’s a rarity and caught our attention,” said Cherepanov. “What was even more interesting was that it quickly became apparent that this malware targeted a specific Linux VoIP platform.”