Discover ESET

Our vision, values and technology.

Newsroom

Get the latest ESET updates.

Press releases

Company news at your fingertips.

Press contacts

Contact information for media and agencies.

Careers

Build a career with ESET.

ESET Research discovers CDRThief, malware attacking Chinese VoIP platform

Next story

BRATISLAVA – ESET researchers have discovered and analyzed malware that targets Voice over IP (VoIP) softswitches. This new malware, named CDRThief by ESET, is designed to target a very specific VoIP platform used by two China-made softswitches (software switches): Linknat VOS2009 and VOS3000. A softswitch is a core element of a VoIP network that provides call control, billing, and management. These softswitches are software-based solutions that run on standard Linux servers. Entirely new Linux malware is rarely seen, thus making CDRThief worthy of interest. The primary goal of the malware is to exfiltrate various private data, including call detail records (CDR), from a compromised softswitch.

“It’s hard to know the ultimate goal of attackers who use this malware. However, since it exfiltrates sensitive information, including call metadata, it seems reasonable to assume that the malware is used for cyberespionage. Another possible goal for attackers using this malware is VoIP fraud. Since the attackers obtain information about the activity of VoIP softswitches and their gateways, this information could be used to perform International Revenue Share Fraud,” says ESET researcher Anton Cherepanov, who discovered CDRThief. “CDRs contain metadata about VoIP calls such as caller and IP addresses of call recipients, starting time of the call, call duration, call fees, and other information,” he adds.

To steal this metadata, the malware queries internal MySQL databases used by the softswitch. Thus, attackers demonstrate a solid understanding of the internal architecture of the targeted platform.

“We noticed this malware in one of our sample sharing feeds, and as an entirely new Linux malware, it’s a rarity and caught our attention. What was even more interesting was that it quickly became apparent that this malware targeted a specific Linux VoIP platform,” explains Cherepanov.

To hide malicious functionality from basic static analysis, the authors encrypted any suspicious-looking strings. Interestingly, the password from the configuration file is stored encrypted. Despite this, Linux/CDRThief malware is still able to read and decrypt it. Thus, the attackers demonstrate deep knowledge of the targeted platform, since the algorithm and encryption keys used are not documented. Furthermore, only the malware authors or operators can decrypt any exfiltrated data.

“The malware can be deployed to any location on the disk under any file name. It’s unknown what type of persistence is used for starting the malware. However, it should be noted that once the malware is started, it attempts to launch a legitimate file present on the Linknat platform. This suggests that the malicious binary might somehow be inserted into a regular boot chain of the platform in order to achieve persistence and possibly masquerade as a component of the Linknat softswitch software,” concludes Cherepanov.

For more technical details about CDRThief, read the blog post “Who is calling? CDRThief targets Linux VoIP softswitches” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

About ESET 
For more than 30 years, ESET® has been developing industry-leading IT security software and services to protect businesses, critical infrastructure and consumers worldwide from increasingly sophisticated digital threats. From endpoint and mobile security to endpoint detection and response, as well as encryption and multifactor authentication, ESET’s high-performing, easy-to-use solutions unobtrusively protect and monitor 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company that enables the safe use of technology. This is backed by ESET’s R&D centers worldwide, working in support of our shared future. For more information, visit www.eset.com or follow us on  LinkedIn, Facebook , and Twitter.