New Linux Malware Targets VoIP Systems to Steal Call Metadata
Cybersecurity experts have identified a novel strain of Linux malware named “CDRThief,” specifically engineered to exploit vulnerabilities in voice over IP (VoIP) softswitches. This malware aims to extract sensitive phone call metadata from compromised systems, raising significant concerns for businesses leveraging VoIP technology.
According to a recent analysis by ESET researchers, CDRThief’s primary objective is to exfiltrate various private data, including call detail records (CDRs). The malware accomplishes this by querying internal MySQL databases integral to the softswitch’s operations. This indicates that the attackers possess a sophisticated understanding of the architecture and functionality of the targeted VoIP platform.
ESET’s research has pinpointed that CDRThief targets a specific Linux VoIP infrastructure—the VOS2009 and 3000 softswitches developed by the Chinese company Linknat. The malicious functionality of the malware is encrypted to evade detection through static analysis, demonstrating a higher level of sophistication in its design.
Upon initiating its attack, CDRThief systematically searches for softswitch configuration files within predetermined directories. The primary goal here is to retrieve MySQL database credentials, which it subsequently decrypts to facilitate database queries. Experts note that the attackers likely reverse-engineered the platform’s binaries to determine the encryption methods and extract the AES key necessary for decrypting passwords. This reflects a profound technical knowledge of VoIP systems.
In addition to gathering fundamental information from the compromised Linknat system, CDRThief meticulously collects database details such as usernames, encrypted passwords, and IP addresses. Furthermore, it executes SQL queries to capture specific information related to system events, VoIP gateways, and call metadata. The data exfiltrated from key tables is compressed and encrypted with a hardcoded RSA-1024 public key, ensuring that only the attackers can decrypt the captured information.
Currently, the malware seems focused solely on data capture rather than more destructive capabilities. However, researchers warn that future iterations could incorporate advanced features for document theft. As of now, the motivations behind the malware’s development and deployment remain obscure. ESET’s Anton Cherepanov speculates that attackers may use brute-force methods or exploit existing vulnerabilities to gain initial access to compromised devices.
Despite the immediate focus on data gathering, the potential for cyberespionage or VoIP fraud looms large. Given that attackers have access to VoIP softswitch activity and gateways, this could pave the way for International Revenue Share Fraud (IRSF) schemes, where fraudulent call activities generate illicit revenues.
In summary, the emergence of CDRThief underscores the ongoing risks associated with securing VoIP infrastructures. As businesses increasingly rely on these technologies, the necessity for vigilant cybersecurity measures becomes ever more critical. Understanding the tactics outlined in the MITRE ATT&CK framework, such as initial access and persistence, can aid organizations in fortifying their defenses against such sophisticated malware threats. Awareness and proactive measures are essential to safeguard sensitive communication data in today’s interconnected world.
