ESET researchers have discovered a previously unknown Linux malware that targets Voice over IP (VoIP) soft switches. The malicious program was named by the analysts of the European IT security manufacturer CDRThief. It is designed to target a very specific VoIP platform, used by two China-produced softswitches (software switches): Linknat VOS2009 and VOS3000. A softswitch is a core element of a VoIP network that provides call control, billing, and management and these softswitches are software-based solutions that run on standard Linux servers.
The primary goal of the malware is to exfiltrate various private data from a compromised softswitch, including call detail records (CDR). CDRs contain metadata about VoIP calls such as caller and callee IP addresses, starting time of the call, call duration, calling fee, etc.
To steal this metadata, the malware queries internal MySQL databases used by the softswitch. Thus, attackers demonstrate a good understanding of the internal architecture of the targeted platform.
"So far it is unclear what the exact target the attackers are pursuing with CDRThief. Since the hackers are targeting confidential information, including call metadata, we suspect cyber espionage to be the main purpose," explains ESET researcher Anton Cherepanov. "Another possible target could be VoIP fraud. Since the attackers receive information via VoIP softswitches and gateways, they could misuse this data for financial fraud."
In summary, the CDRThief work the following: in order to gain access to confidential information, the malware searches internal MySQL databases that are used by softswitches, providing the attackers with an overview of the internal architecture of the target platform. To hide the malicious functions from static analysis, the developers of CDRThief encrypted all suspicious-looking strings, even the decryption password, while the malware is still able to read and decrypt it. Clearly, the attackers show that they have a deep knowledge of the target platform. Even the stolen data is coded and can only be decrypted by the attacker.
What makes the Linux/CDRThief malware so alarming is the fact that VoIP softswitches targeted by threat actors are still new and that stolen information could be used to perform International Revenue Share Fraud (IRSF).
The ESET researchers have published their full analysis on WeLiveSecurity: https://www.welivesecurity.com/2020/09/10/who-callin-cdrthief-linux-voip-softswitches/