Security researchers from Slovak cyber-security firm ESET have uncovered a new interesting piece of malware designed to target specific Linux VoIP softswitches, namely the Linknat VOS2009 / VOS3000 softswitches, which run on standard Linux servers. Once the device is compromised, the malware, dubbed CDRThief, attempts to steal call detail records (CDR), including IP addresses, call duration, calling fee, and more.
The malware’s ELF binary was compiled with the Go compiler and all suspicious-looking strings were encrypted with XXTEA and the key fhu84ygf8643 and then base64 encoded.
The primary goal of the malware is to exfiltrate various private data from a compromised softswitch. To achieve this CDRThief targets an internal MySQL database running in the device to which it gains access by reading credentials from Linknat VOS2009 and VOS3000 configuration files.
Although the password from the configuration file is stored encrypted, the malware can read and decrypt it.
“Thus, the attackers demonstrate deep knowledge of the targeted platform, since the algorithm and encryption keys used are not documented as far as we can tell. It means that the attackers had to reverse engineer platform binaries or otherwise obtain information about the AES encryption algorithm and key used in the Linknat code,” the researchers note.
ESET says that unlike other backdoors the analyzed malware sample did not contain functionality for shell command execution or exfiltrating specific files from the compromised softswitch’s disk, however, it is possible that these capabilities might be introduced in future versions of the CDRThief malware.
The researchers have not been able to find out how the malware is delivered onto compromised devices, but they believe that threat actors might obtain access to the device using a brute-force attack or by exploiting a vulnerability.
“It’s hard to know the ultimate goal of attackers who use this malware. However, since this malware exfiltrates sensitive information, including call metadata, it seems reasonable to assume that the malware is used for cyberespionage. Another possible goal for attackers using this malware is VoIP fraud. Since the attackers obtain information about activity of VoIP softswitches and their gateways, this information could be used to perform International Revenue Share Fraud (IRSF),” the researchers concluded.