September 10, 2020

CDRThief malware steals private voice over internet data

By Robert Scammell

Security researchers have discovered a new strain of malware that targets voice over internet protocol (VoIP) software switches to steal private data such as call detail records (CDRs).

The malware, dubbed CDRThief, could be used for cyberespionage or VoIP fraud, according to the ESET researchers who discovered it.

The malware targets a “very specific” VoIP platform that is only used by two China-made softswitches. These are Linknat VOS2009 and VOS3000. A softswitch is a virtual form of a physical call switching node used in a telecommunications network. It provides call control, billing and management.

The two targeted softswitches run on servers using the Linux operating system. ESET said that it is rare to see entirely new Linux malware.

“It’s hard to know the ultimate goal of attackers who use this malware. However, since it exfiltrates sensitive information, including call metadata, it seems reasonable to assume that the malware is used for cyberespionage,” said ESET researcher Anton Cherepanov, who discovered CDRThief.

“Another possible goal for attackers using this malware is VoIP fraud. Since the attackers obtain information about the activity of VoIP softswitches and their gateways, this information could be used to perform International Revenue Share Fraud.

“CDRs contain metadata about VoIP calls such as caller and IP addresses of call recipients, starting time of the call, call duration, call fees, and other information.”

Cherepanov spotted the CDRThief malware in one of ESET’s sample sharing feeds, catching his attention because of the “rarity” of new Linux malware.

The malware queries internal MySQL databases used by the softswitch to steal VoIP metadata. According to Cherepanov, this demonstrates a solid understanding of the targeted platform’s internal architecture. The hackers also encrypted the suspect parts of the malware code to avoid detection. This also meant only the malware authors could decrypt the stolen data.

“The malware can be deployed to any location on the disk under any file name. It’s unknown what type of persistence is used for starting the malware. However, it should be noted that once the malware is started, it attempts to launch a legitimate file present on the Linknat platform,” said Cherepanov.

“This suggests that the malicious binary might somehow be inserted into a regular boot chain of the platform in order to achieve persistence and possibly masquerade as a component of the Linknat softswitch software.”

Read more: North Korean hacking group behind global cryptocurrency attacks


Verdict deals analysis methodology

This analysis considers only announced and completed cross border deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.

GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.

More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.

Topics in this article: ,