1 November 2019

Chinese cyberespionage group deploys new malware to intercept SMS traffic at telecom networks

Chinese cyberespionage group deploys new malware to intercept SMS traffic at telecom networks

A China-linked threat group targets the servers of telecommunications companies with a new piece of malware designed to spy on SMS traffic within telcos’ networks, FireEye revealed. The new malware, dubbed MESSAGETAP, has been used by a Chinese threat actor tracked by FireEye as APT41. The group has been active since at least 2012 and is known to be focused on both cyber espionage and financially-motivated operations.

MESSAGETAP espionage tool was discovered earlier this year during an investigation within a cluster of Linux servers at an unnamed telecommunications network provider. These servers were used as Short Message Service Center (SMSC) servers, responsible for routing SMS messages to an intended recipient or storing them until the recipient has come online.

According to FireEye, MESSAGETAP is a 64-bit ELF data miner that is able to monitor all network connections in an effort to identify and extract SMS messages. The malware can monitor not only the content of SMS messages, but also IMSI numbers and the phone numbers of both the sender and the recipient. MESSAGETAP is loaded by an installation script and once installed, it checks for the existence of two configuration files: keyword_parm.txt and parm.txt containing instructions on what messages should be extracted. Once these files are read and loaded into memory they are deleted from the disc.

The malware inspects the SMS message contents for keywords from the predefined list (keywordVec list), then compares the IMSI number with numbers from the imsiMap list, and checks the extracted phone numbers with the numbers in the phoneMap list. If a message contains a keyword from the predefined list or an IMSI or phone number that is of interest to the hackers passes through the targeted mobile operator’s servers, the content of the message is saved to a local CSV file that the attackers can retrieve later. APT41 primarily has been searching for keywords related to the names of political leaders, military and intelligence organizations and political movements that oppose the Chinese government.

The hackers have been not only spying on SMS messages, but also queried call detail record (CDR) databases in order to save and steal records related to “foreign high-ranking individuals of interest to the Chinese intelligence services”.

“Targeting CDR information provides a high-level overview of phone calls between individuals, including time, duration, and phone numbers. In contrast, MESSAGETAP captures the contents of specific text messages,” the researchers said.

Overall in 2019, FireEye researchers said they observed four telecoms firms targeted by APT41 group, and another four telcos' were targeted by separate China-linked threat groups.

“Beyond telecommunication organizations, other client verticals that possess sensitive records related to specific individuals of interest, such as major travel services and healthcare providers, were also targeted by APT41. This is reflective of an evolving Chinese targeting trend focused on both upstream data and targeted surveillance,” the researchers concluded.

 

Back to the list

Latest Posts

New group of hackers targets businesses with backdoor malware in financially-motivated attacks

New group of hackers targets businesses with backdoor malware in financially-motivated attacks

The TA2101 gang used malicious emails to infect organizations in Germany, Italy, and the United States with backdoor, banking Trojan, or ransomware malware.
15 November 2019
APT33 hackers set up their own VPN network to thwart tracking

APT33 hackers set up their own VPN network to thwart tracking

APT33 used its private VPN network for reconnaissance of networks that are relevant to the supply chain of the oil industry.
14 November 2019
New unusual ransomware is hunting for enterprise servers

New unusual ransomware is hunting for enterprise servers

New PureLocker ransomware seems to have links to the malware provider used by Cobalt and FIN6 hacking groups.
13 November 2019
Featured vulnerabilities
Debian update for postgresql-common
Low Patched | 15 Nov, 2019
Cross-site scripting in Pimcore
Low Patched | 15 Nov, 2019
Multiple vulnerabilities in Pimcore
Medium Patched | 15 Nov, 2019