Security researchers have discovered a new strain of malware that targets voice over internet protocol (VoIP) software switches to steal private data such as call detail records (CDRs).

The malware, dubbed CDRThief, could be used for cyberespionage or VoIP fraud, according to the ESET researchers who discovered it.

The malware targets a “very specific” VoIP platform that is only used by two China-made softswitches. These are Linknat VOS2009 and VOS3000. A softswitch is a virtual form of a physical call switching node used in a telecommunications network. It provides call control, billing and management.

The two targeted softswitches run on servers using the Linux operating system. ESET said that it is rare to see entirely new Linux malware.

“It’s hard to know the ultimate goal of attackers who use this malware. However, since it exfiltrates sensitive information, including call metadata, it seems reasonable to assume that the malware is used for cyberespionage,” said ESET researcher Anton Cherepanov, who discovered CDRThief.

“Another possible goal for attackers using this malware is VoIP fraud. Since the attackers obtain information about the activity of VoIP softswitches and their gateways, this information could be used to perform International Revenue Share Fraud.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

“CDRs contain metadata about VoIP calls such as caller and IP addresses of call recipients, starting time of the call, call duration, call fees, and other information.”

Cherepanov spotted the CDRThief malware in one of ESET’s sample sharing feeds, catching his attention because of the “rarity” of new Linux malware.

The malware queries internal MySQL databases used by the softswitch to steal VoIP metadata. According to Cherepanov, this demonstrates a solid understanding of the targeted platform’s internal architecture. The hackers also encrypted the suspect parts of the malware code to avoid detection. This also meant only the malware authors could decrypt the stolen data.

“The malware can be deployed to any location on the disk under any file name. It’s unknown what type of persistence is used for starting the malware. However, it should be noted that once the malware is started, it attempts to launch a legitimate file present on the Linknat platform,” said Cherepanov.

“This suggests that the malicious binary might somehow be inserted into a regular boot chain of the platform in order to achieve persistence and possibly masquerade as a component of the Linknat softswitch software.”


Read more: North Korean hacking group behind global cryptocurrency attacks