New Linux Malware Steals Call Details from VoIP Softswitch Systems

Cybersecurity scientists have learned an fully new form of Linux malware dubbed “CDRThief” that targets voice around IP (VoIP) softswitches in an endeavor to steal cellular phone contact metadata.

“The major intention of the malware is to exfiltrate numerous non-public facts from a compromised softswitch, such as get in touch with element records (CDR),” ESET researchers claimed in a Thursday evaluation.

“To steal this metadata, the malware queries interior MySQL databases utilized by the softswitch. Thus, attackers reveal a superior knowledge of the internal architecture of the focused platform.”


Softswitches (brief for application switches) are usually VoIP servers that allow for for telecommunication networks to supply administration of voice, fax, details and video targeted visitors, and call routing.

ESET’s investigation uncovered that CDRThief qualified a certain Linux VoIP platform, particularly the VOS2009 and 3000 softswitches from Chinese corporation Linknat, and experienced its malicious operation encrypted to evade static analysis.

The malware starts off by attempting to identify the Softswitch configuration information from a checklist of predetermined directories with the intention of accessing the MySQL database credentials, which are then decrypted to question the databases.

ESET researchers say the attackers would have had to reverse engineer the platform binaries to examine the encryption process and retrieve the AES essential utilised to decrypt the databases password, suggesting the authors””deep know-how” of the VoIP architecture.

Apart from scooping up basic info about compromised Linknat method, CDRThief exfiltrates specifics of the databases (username, encrypted password, IP handle) and executes SQL queries straight to the MySQL databases in purchase to capture data pertaining to program occasions, VoIP gateways, and phone metadata.

“Facts to be exfiltrated from the e_syslog, e_gatewaymapping, and e_cdr tables is compressed and then encrypted with a hardcoded RSA-1024 community crucial before exfiltration. As a result, only the malware authors or operators can decrypt the exfiltrated information,” ESET claimed.

In its present-day kind, the malware seems to be centered only on collecting knowledge from the database, but ESET warns that could very easily alter need to the attackers choose to introduce a lot more state-of-the-art doc stealing capabilities in an updated model.

That reported, the ultimate objective of the malware authors or details about the risk actor guiding the operation however remains unclear.

“At the time of writing we do not know how the malware is deployed onto compromised units,” ESET’s Anton Cherepanov claimed. “We speculate that attackers may attain obtain to the machine making use of a brute-power assault or by exploiting a vulnerability.”

“It would seem realistic to suppose that the malware is utilized for cyberespionage. Another feasible goal for attackers utilizing this malware is VoIP fraud. Considering the fact that the attackers acquire information and facts about exercise of VoIP softswitches and their gateways, this info could be used to execute Global Earnings Share Fraud (IRSF).”

Fibo Quantum