Security researchers from Slovak cyber-security firm ESET said today they discovered a very rare piece of Linux malware that targets Voice-over-IP (VoIP) telephony switches with the end goal of stealing call details metadata.
For the time being, researchers said they merely spotted the malware and analyzed its behavior, but aren’t 100% sure who developed it, and for what purpose.
Considered theories include that the malware, which they named CDRThief, could be used for cyber-espionage or for a type of telephony fraud scheme known as International Revenue Share Fraud (IRSF).
But regardless of the end goal, the general conclusion from the ESET team was that CDRThief was developed by a threat actor with deep knowledge of the VoIP landscape.
For starters, the malware only targets two VoIP softswitches running on Linux servers. VoIP softswitches are software programs that run on regular servers and are designed to route calls using software, rather than special hardware.
Second, CDRThief only targets two softswitches programs, namely the VOS2009 and VOS3000 systems from Chinese company Linknat.
“At the time of writing we do not know how the malware is deployed onto compromised devices,” Anton Cherepanov, one of ESET’s top malware hunters, wrote in an analysis today.
“We speculate that attackers might obtain access to the device using a brute-force attack or by exploiting a vulnerability. Such vulnerabilities in VOS2009/VOS3000 have been reported publicly in the past,” Cherepanov added.
However, once the malware has a foothold on a Linux server running Linknat VOS2009 or VOS3000, the malware searches for the Linknat configuration files and extracts credentials for the built-in MySQL database, where the softswitch stores call detail records (CDR, aka VoIP calls metadata).
“Interestingly, the password from the configuration file is stored encrypted,” Cherepanov pointed out.
“However, Linux/CDRThief malware is still able to read and decrypt it. Thus, the attackers demonstrate deep knowledge of the targeted platform, since the algorithm and encryption keys used are not documented as far as we can tell. It means that the attackers had to reverse engineer platform binaries or otherwise obtain information about the AES encryption algorithm and key used in the Linknat code.”
After this step, Cherepanov says the malware connects to the MySQL database and runs SQL queries to gather CDR metadata, which is later uploaded to a remote server.
The ESET researcher said CDRThief is an extremely narrow piece of malware, built only for stealing VoIP call metadata, and nothing else. The malware doesn’t run shell commands or search and steals other files, at least in its current forms, meaning its creators and the people behind CDRThief attacks knew exactly what they wanted from each of their intrusions.