Page 19 - AeM_September_2020
P. 19
RESEARCH
ANALYSIS
TRENDS
Novel Linux malware targets VoIP
softswitches
ESET researchers have discovered a previously "Another possible target could be VoIP fraud. Since the
unknown Linux malware that targets Voice over IP attackers receive information via VoIP softswitches and
(VoIP) soft switches. The malicious program was gateways, they could misuse this data for financial
named by the analysts of the European IT security fraud."
manufacturer CDRThief. It is designed to target a very
specific VoIP platform, used by two China-produced In summary, the CDRThief work the following: in order
softswitches (software switches): Linknat VOS2009 and to gain access to confidential information, the malware
VOS3000. A softswitch is a core element of a VoIP searches internal MySQL databases that are used by
network that provides call control, billing, and softswitches, providing the attackers with an overview
management and these softswitches are software- of the internal architecture of the target platform. To
based solutions that run on standard Linux servers. hide the malicious functions from static analysis, the
developers of CDRThief encrypted all suspicious-
The primary goal of the malware is to exfiltrate various looking strings, even the decryption password, while
private data from a compromised softswitch, including the malware is still able to read and decrypt it. Clearly,
call detail records (CDR). CDRs contain metadata the attackers show that they have a deep knowledge of
about VoIP calls such as caller and callee IP the target platform. Even the stolen data is coded and
addresses, starting time of the call, call duration, calling can only be decrypted by the attacker.
fee, etc.
What makes the Linux/CDRThief malware so alarming
To steal this metadata, the malware queries internal is the fact that VoIP softswitches targeted by threat
MySQL databases used by the softswitch. Thus, actors are still new and that stolen information could be
attackers demonstrate a good understanding of the used to perform International Revenue Share Fraud
internal architecture of the targeted platform. (IRSF).
"So far it is unclear what the exact target the attackers The ESET researchers have published their full
are pursuing with CDRThief. Since the hackers are analysis on WeLiveSecurity. ◊
targeting confidential information, including call
metadata, we suspect cyber espionage to be the main By MediaBUZZ.
purpose," explains ESET researcher Anton
Cherepanov.
19 September 2020: Cybersecurity & Data Safety: perpetual awareness and innovation