ESET researchers have discovered and analyzed malware that targets Voice over IP (VoIP) softswitches. This new malware, named CDRThief by ESET, is designed to target a very specific VoIP platform used by two China-made softswitches (software switches): Linknat VOS2009 and VOS3000. A softswitch is a core element of a VoIP network that provides call control, billing, and management. These softswitches are software-based solutions that run on standard Linux servers. Entirely new Linux malware is rarely seen, thus making CDRThief worthy of interest. The primary goal of the malware is to exfiltrate various private data, including call detail records (CDR), from a compromised softswitch.

“It’s hard to know the ultimate goal of attackers who use this malware. However, since it exfiltrates sensitive information, including call metadata, it seems reasonable to assume that the malware is used for cyberespionage. Another possible goal for attackers using this malware is VoIP fraud. Since the attackers obtain information about the activity of VoIP softswitches and their gateways, this information could be used to perform International Revenue Share Fraud,” says ESET researcher Anton Cherepanov, who discovered CDRThief. “CDRs contain metadata about VoIP calls such as caller and IP addresses of call recipients, starting time of the call, call duration, call fees, and other information,” he adds.

To steal this metadata, the malware queries internal MySQL databases used by the softswitch. Thus, attackers demonstrate a solid understanding of the internal architecture of the targeted platform.

“We noticed this malware in one of our sample sharing feeds, and as an entirely new Linux malware, it’s a rarity and caught our attention. What was even more interesting was that it quickly became apparent that this malware targeted a specific Linux VoIP platform,” explains Cherepanov.

To hide malicious functionality from basic static analysis, the authors encrypted any suspicious-looking strings. Interestingly, the password from the configuration file is stored encrypted. Despite this, Linux/CDRThief malware is still able to read and decrypt it. Thus, the attackers demonstrate deep knowledge of the targeted platform, since the algorithm and encryption keys used are not documented. Furthermore, only the malware authors or operators can decrypt any exfiltrated data.

“The malware can be deployed to any location on the disk under any file name. It’s unknown what type of persistence is used for starting the malware. However, it should be noted that once the malware is started, it attempts to launch a legitimate file present on the Linknat platform. This suggests that the malicious binary might somehow be inserted into a regular boot chain of the platform in order to achieve persistence and possibly masquerade as a component of the Linknat softswitch software,” concludes Cherepanov.

For more technical details about CDRThief, read the blog post “Who is calling? CDRThief targets Linux VoIP softswitches” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.