Page 19 - AeM_September_2020
P. 19

RESEARCH
                                                                                                                 ANALYSIS
                                                                                                                  TRENDS



























       Novel Linux malware targets VoIP


       softswitches


       ESET  researchers  have  discovered  a  previously   "Another possible target could be VoIP fraud. Since the
       unknown  Linux  malware  that  targets  Voice  over  IP   attackers receive information via VoIP softswitches and
       (VoIP)  soft  switches.  The  malicious  program  was   gateways,  they  could  misuse  this  data  for  financial
       named  by  the  analysts  of  the  European  IT  security   fraud."
       manufacturer CDRThief. It is designed to target a very
       specific  VoIP  platform,  used  by  two  China-produced   In summary, the CDRThief work the following: in order
       softswitches (software switches): Linknat VOS2009 and   to gain access to confidential information, the malware
       VOS3000.  A  softswitch  is  a  core  element  of  a  VoIP   searches  internal  MySQL  databases  that  are  used  by
       network  that  provides  call  control,  billing,  and   softswitches,  providing  the  attackers  with  an  overview
       management  and  these  softswitches  are  software-  of  the  internal  architecture  of  the  target  platform.  To
       based solutions that run on standard Linux servers.   hide  the  malicious  functions  from  static  analysis,  the
                                                           developers  of  CDRThief  encrypted  all  suspicious-
       The primary goal of the malware is to exfiltrate various   looking  strings,  even  the  decryption  password,  while
       private  data from a compromised softswitch,  including   the malware is still able to read and decrypt it. Clearly,
       call  detail  records  (CDR).  CDRs  contain  metadata   the attackers show that they have a deep knowledge of
       about  VoIP  calls  such  as  caller  and  callee  IP   the target platform. Even the stolen data is coded and
       addresses, starting time of the call, call duration, calling   can only be decrypted by the attacker.
       fee, etc.
                                                           What makes the Linux/CDRThief malware so alarming
       To  steal  this  metadata,  the  malware  queries  internal   is  the  fact  that  VoIP  softswitches  targeted  by  threat
       MySQL  databases  used  by  the  softswitch.  Thus,   actors are still new and that stolen information could be
       attackers  demonstrate  a  good  understanding  of  the   used  to  perform  International  Revenue  Share  Fraud
       internal architecture of the targeted platform.     (IRSF).

       "So far it is unclear what the exact target the attackers   The  ESET  researchers  have  published  their  full
       are  pursuing  with  CDRThief.  Since  the  hackers  are   analysis on WeLiveSecurity. ◊
       targeting  confidential  information,  including  call
       metadata, we suspect cyber espionage to be the main                                   By MediaBUZZ.
       purpose,"   explains   ESET    researcher   Anton
       Cherepanov.





       19                                              September 2020: Cybersecurity & Data Safety: perpetual awareness and innovation
   14   15   16   17   18   19   20   21   22   23   24