Security researchers have discovered a new strain of malware that targets voice over internet protocol (VoIP) software switches to steal private data such as call detail records (CDRs).

The malware, dubbed CDRThief, could be used for cyberespionage or VoIP fraud, according to the ESET researchers who discovered it.

The malware targets a “very specific” VoIP platform that is only used by two China-made softswitches. These are Linknat VOS2009 and VOS3000. A softswitch is a virtual form of a physical call switching node used in a telecommunications network. It provides call control, billing and management.

The two targeted softswitches run on servers using the Linux operating system. ESET said that it is rare to see entirely new Linux malware.

“It’s hard to know the ultimate goal of attackers who use this malware. However, since it exfiltrates sensitive information, including call metadata, it seems reasonable to assume that the malware is used for cyberespionage,” said ESET researcher Anton Cherepanov, who discovered CDRThief.

“Another possible goal for attackers using this malware is VoIP fraud. Since the attackers obtain information about the activity of VoIP softswitches and their gateways, this information could be used to perform International Revenue Share Fraud.

“CDRs contain metadata about VoIP calls such as caller and IP addresses of call recipients, starting time of the call, call duration, call fees, and other information.”

Cherepanov spotted the CDRThief malware in one of ESET’s sample sharing feeds, catching his attention because of the “rarity” of new Linux malware.

The malware queries internal MySQL databases used by the softswitch to steal VoIP metadata. According to Cherepanov, this demonstrates a solid understanding of the targeted platform’s internal architecture. The hackers also encrypted the suspect parts of the malware code to avoid detection. This also meant only the malware authors could decrypt the stolen data.

“The malware can be deployed to any location on the disk under any file name. It’s unknown what type of persistence is used for starting the malware. However, it should be noted that once the malware is started, it attempts to launch a legitimate file present on the Linknat platform,” said Cherepanov.

“This suggests that the malicious binary might somehow be inserted into a regular boot chain of the platform in order to achieve persistence and possibly masquerade as a component of the Linknat softswitch software.”

Read more: North Korean hacking group behind global cryptocurrency attacks