ESET researchers have discovered and analyzed malware that targets Voice over IP (VoIP) softswitches
This new malware that we have discovered and named CDRThief is designed to target a very specific VoIP platform, used by two China-produced softswitches (software switches): Linknat VOS2009 and VOS3000. A softswitch is a core element of a VoIP network that provides call control, billing, and management. These softswitches are software-based solutions that run on standard Linux servers.
The primary goal of the malware is to exfiltrate various private data from a compromised softswitch, including call detail records (CDR). CDRs contain metadata about VoIP calls such as caller and callee IP addresses, starting time of the call, call duration, calling fee, etc.
To steal this metadata, the malware queries internal MySQL databases used by the softswitch. Thus, attackers demonstrate a good understanding of the internal architecture of the targeted platform.
We noticed this malware in one of our sample sharing feeds, and as entirely new Linux malware is a rarity, it caught our attention. What was even more interesting was that it quickly became apparent that this malware targeted a specific Linux VoIP platform. Its ELF binary was produced by the Go compiler with the debug symbols left unmodified, which is always helpful for the analysis.
To hide malicious functionality from basic static analysis, the authors encrypted all suspicious-looking strings with XXTEA and the key fhu84ygf8643, and then base64 encoded them. Figure 1 shows some of the code the malware uses to decrypt these strings at runtime.
To access internal data stored in the MySQL database, the malware reads credentials from Linknat VOS2009 and VOS3000 configuration files that it attempts to locate in the following paths:
Interestingly, the password from the configuration file is stored encrypted. However, Linux/CDRThief malware is still able to read and decrypt it. Thus, the attackers demonstrate deep knowledge of the targeted platform, since the algorithm and encryption keys used are not documented as far as we can tell. It means that the attackers had to reverse engineer platform binaries or otherwise obtain information about the AES encryption algorithm and key used in the Linknat code.
As seen in Figure 2, CDRThief communicates with C&C servers using JSON over HTTP.
There are multiple functions in Linux/CDRThief’s code used for communication with C&C servers. Table 1 contains the original names of these functions used by the malware authors.
Table 1. Functions used for communication with C&C
|Function name||C&C path||Purpose|
|main.pingNet||/dataswop/a||Checks if C&C is alive|
|main.heartbeat||/dataswop/API/gojvxs||Main C&C loop, called every three minutes|
|main.baseInfo||/dataswop/API/gojvxs||Exfiltrates basic information about compromised Linknat system:|
|· MAC address|
|· cat /proc/version|
|· cat /etc/redhat-release|
|· UUID from /bin/ibus_10.mo (or / home/kunshi/base/ibus_10.mo )|
|main.upVersion||/dataswop/Download/updateGoGoGoGoGo||Updates itself to the latest version|
|main.pushLog||/dataswop/API/gojvxs||Uploads malware error log|
|main.load||/dataswop/API/gojvxs||Exfiltrates various information about the platform:|
|· SELECT SUM(TABLE_ROWS) FROM information_schema.TABLES WHERE table_name LIKE 'e_cdr_%'|
|· cat /etc/motd|
|· username, encrypted password, IP address of the database|
|· ACCESS_UUID from server.conf|
|· VOS software version|
|main.syslogCall||/dataswop/API/gojvxs||Exfiltrates data from e_syslog tables|
|main.gatewaymapping||/dataswop/API/gojvxs||Exfiltrates data from e_gatewaymapping tables|
|main.cdr||/dataswop/API/gojvxs||Exfiltrates data from e_cdr tables|
In order to exfiltrate data from the platform, Linux/CDRThief executes SQL queries directly to the MySQL database. Mainly, the malware is interested in three tables:
- e_syslog – contains log of system events
- e_gatewaymapping – contains information about VoIP gateways (see Figure 3)
- e_cdr – contains call data records (metadata of calls)
Data to be exfiltrated from the e_syslog, e_gatewaymapping, and e_cdr tables is compressed and then encrypted with a hardcoded RSA-1024 public key before exfiltration. Thus, only the malware authors or operators can decrypt the exfiltrated data.
Based on the described functionality, we can say that the malware’s primary focus is on collecting data from the database. Unlike other backdoors, Linux/CDRThief does not have support for shell command execution or exfiltrating specific files from the compromised softswitch’s disk. However, these functions could be introduced in an updated version.
The malware can be deployed to any location on the disk under any file name. It’s unknown what type of persistence is used for starting the malicious binary at each boot. However, it should be noted that once the malware is started, it attempts to launch a legitimate binary present on the Linknat VOS2009/VOS3000 platform using the following command:
exec -a ‘/home/kunshi/callservice/bin/callservice -r /home/kunshi/.run/callservice.pid’
This suggests that the malicious binary might somehow be inserted into a regular boot chain of the platform in order to achieve persistence and possibly masquerading as a component of the Linknat softswitch software.
At the time of writing we do not know how the malware is deployed onto compromised devices. We speculate that attackers might obtain access to the device using a brute-force attack or by exploiting a vulnerability. Such vulnerabilities in VOS2009/VOS3000 have been reported publicly in the past.
We analyzed Linux/CDRThief malware, which has a unique purpose to target specific VoIP softswitches. We rarely see VoIP softswitches targeted by threat actors; this makes the Linux/CDRThief malware interesting.
It’s hard to know the ultimate goal of attackers who use this malware. However, since this malware exfiltrates sensitive information, including call metadata, it seems reasonable to assume that the malware is used for cyberespionage. Another possible goal for attackers using this malware is VoIP fraud. Since the attackers obtain information about activity of VoIP softswitches and their gateways, this information could be used to perform International Revenue Share Fraud (IRSF).
For any inquiries, or to make sample submissions related to the subject, contact us at firstname.lastname@example.org.
Indicators of Compromise
ESET detection name
File based mutexes
Files created during malware update
8E2624DA4D209ABD3364D90F7BC08230F84510DB (UPX packed)
82F51F098B85995C966135E9E7F63D1D8DC97589 (UPX packed)
Exfiltration encryption key (RSA)
—–BEGIN PUBLIC KEY—–MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCQ3k3GgS3FX4pI7s9x0krBYqbMcSaw4BPY91Ln
—–END PUBLIC KEY—–
MITRE ATT&CK techniques
Note: This table was built using version 7 of the MITRE ATT&CK framework.
|Defense Evasion||T1027||Obfuscated Files or Information||Linux/CDRThief contains obfuscates strings in the payload.|
|T1027.002||Obfuscated Files or Information: Software Packing||Some Linux/CDRThief samples are packed with UPX.|
|Credential Access||T1552.001||Unsecured Credentials: Credentials In Files||Linux/CDRThief reads credentials for MySQL database from a configuration file.|
|Discovery||T1082||System Information Discovery||Linux/CDRThief obtains detailed information about the compromised computer.|
|Collection||T1560.003||Archive Collected Data: Archive via Custom Method||Linux/CDRThief compresses stolen data with gzip before exfiltration.|
|Command and Control||T1071.001||Application Layer Protocol: Web Protocols||Linux/CDRThief uses HTTP for communication with C&C server.|
|Exfiltration||T1041||Exfiltration Over C2 Channel||Linux/CDRThief exfiltrates data to the C&C server.|