Who is calling? CRDThief targets Linux VoIP softswitches

 

ESET researchers have discovered and analysed malware that targets Voice over IP (VoIP) softswitches.

 By Anton Cherepanov

 This new malware that we have discovered and named CDRThief is designed to target a very specific VoIP platform, used by two China-produced softswitches (software switches): Linknat VOS2009 and VOS3000. A softswitch is a core element of a VoIP network that provides call control, billing, and management. These softswitches are software-based solutions that run on standard Linux servers.

 The primary goal of the malware is to exfiltrate various private data from a compromised softswitch, including call detail records (CDR). CDRs contain metadata about VoIP calls such as caller and callee IP addresses, starting time of the call, call duration, calling fee, etc.

 To steal this metadata, the malware queries internal MySQL databases used by the softswitch. Thus, attackers demonstrate a good understanding of the internal architecture of the targeted platform.

Linux/CDRThief analysis

 We noticed this malware in one of our sample sharing feeds, and as entirely new Linux malware is a rarity, it caught our attention. What was even more interesting was that it quickly became apparent that this malware targeted a specific Linux VoIP platform. Its ELF binary was produced by the Go compiler with the debug symbols left unmodified, which is always helpful for the analysis.

 To hide malicious functionality from basic static analysis, the authors encrypted all suspicious-looking strings with XXTEA and the key fhu84ygf8643, and then base64 encoded them. Figure 1 shows some of the code the malware uses to decrypt these strings at runtime.

 Complete article on: https://www.welivesecurity.com/2020/09/10/who-callin-cdrthief-linux-voip-softswitches/?utm_source=newsletter&utm_medium=email&utm_campaign=wls-newsletter-110920