New CDRThief malware targeting Linux VoIP softswitches to record call metadata

 CDRThief – a new threat detected in the wild targeting specific Voice over IP system and stealing call data records (CDR) through telephone exchange equipment. Malware analysts say, this malware is especially crafted for a particular Linux VolP platform – Linknat VOS2009/3000 softswitches.

Softswitches refer to software solution that acts a a VolP server and manages traffic in a telecomincation network. The detected malware tries to compromise the vulnerable VOS2009/3000 softswitches to steal the call metadata from MySQL databases. Such data include IP addresses of the callers, phone numbers, start time and duration of the call, its route and type.

On Analyzing, ESET researchers come to a conclusion that this malware attempts to obfuscate the malicious functionality by using XXTEA cipher and then running Base64 encoding on suspicious looking links.

The MySQL databases are usually password protected. ESET thinks the authors had to reverse these engineer platform binaries to get the details in the LInknat code about the AES and key to decrypt the database access password.

The CDRThief malware can read and decrypt this key is an indication that the developers of it know very well about the platform. The gathered information is to the command and control server using JSON over HTTP after compressing and encrypting it with a hardcoaded RSA-1024 public key.

  “Based on the described functionality, we can say that the malware’s primary focus is on collecting data from the database. Unlike other backdoors, Linux/CDRThief does not have support for shell command execution or exfiltrating specific files from the compromised softswitch’s disk. However, these functions could be introduced in an updated version” -ESET.

At present, it is not known how the malware gains persistence. Researchers believe that the command – exec -a ‘/home/kunshi/callservice/bin/callservice -r/home/kunshi/.run/callservice.pid’ – might be inserted to the platform, camouflaged as a Linknat softswitch component.