A new type of malware that targets Voice over IP (VoIP) softswitches, potentially for cyber-espionage purposes, has been uncovered by ESET researchers.
The malware, named CDRThief, is designed to attack a specific VoIP platform used by two China-made softswitches called Linknat VOS2009 and VOS3000, which are software-based solutions that run on standard Linux servers. ESET believes the main purpose of this malware is to exfiltrate various private data from a compromised softswitch. This includes call data records, which contain sensitive metadata about VoIP calls such as caller and IP addresses of call recipients, starting time of the call and call duration.
The cybersecurity firm added that it caught their attention as entirely new Linux malware is rare to see.
CDRThief attempts to steal metadata by querying internal MySQL databases used by the softswitch, with its mode of operation demonstrating a “solid understanding of the internal architecture of the targeted platform.” ESET found that any suspicious-looking strings in the malware were encrypted by the authors in order to hide malicious functionality from basic static analysis. Additionally, even though the password from the configuration file is encrypted, the CDRThief malware is still able to read and decrypt it.
ESET also revealed the malware can be deployed to any location on the disk under any file, and once it starts operating, attempts to launch a legitimate file present on the Linknat platform. ESET researcher Anton Cherepanov, who discovered the Linux malware, said that “this suggests that the malicious binary might somehow be inserted into a regular boot chain of the platform in order to achieve persistence and possibly masquerade as a component of the Linknat softswitch software.”
He added: “It’s hard to know the ultimate goal of attackers who use this malware. However, since it exfiltrates sensitive information, including call metadata, it seems reasonable to assume that the malware is used for cyber-espionage. Another possible goal for attackers using this malware is VoIP fraud. Since the attackers obtain information about the activity of VoIP softswitches and their gateways, this information could be used to perform international revenue share fraud.”