ESET researchers have
discovered and analysed malware that targets Voice over IP (VoIP) softswitches.
By Anton Cherepanov
This new malware that we
have discovered and named CDRThief is designed to target a very specific VoIP
platform, used by two China-produced softswitches (software switches): Linknat
VOS2009 and VOS3000. A softswitch is a core element of a VoIP network that
provides call control, billing, and management. These softswitches are
software-based solutions that run on standard Linux servers.
The primary goal of the
malware is to exfiltrate various private data from a compromised softswitch,
including call detail records (CDR). CDRs contain metadata about VoIP calls such as
caller and callee IP addresses, starting time of the call, call duration,
calling fee, etc.
To steal this metadata, the
malware queries internal MySQL databases used by the softswitch. Thus,
attackers demonstrate a good understanding of the internal architecture of the
targeted platform.
Linux/CDRThief
analysis
We noticed this malware in
one of our sample sharing feeds, and as entirely new Linux malware is a rarity,
it caught our attention. What was even more interesting was that it quickly
became apparent that this malware targeted a specific Linux VoIP platform. Its
ELF binary was produced by the Go compiler with the debug symbols left
unmodified, which is always helpful for the analysis.
To hide malicious functionality
from basic static analysis, the authors encrypted all suspicious-looking
strings with XXTEA and the
key fhu84ygf8643, and then base64 encoded them. Figure 1 shows some of the code the
malware uses to decrypt these strings at runtime.
Complete article on: https://www.welivesecurity.com/2020/09/10/who-callin-cdrthief-linux-voip-softswitches/?utm_source=newsletter&utm_medium=email&utm_campaign=wls-newsletter-110920