Threat Watch

CDRTheif Malware Steals Linux Softswitches VoIP Metadata

Researches at ESET analyzed new malware named CDRTheif. The malware targets a specific Voice over IP (VoIP) system to steal Call Data Records (CDR) from telephone equipment. The malware was specifically designed to target a particular Linux VoIP platform, VOS2009/3000 softswitches. A softswitch is a software solution acting as a VoIP server that manages traffic (audio/video/text) in a telecommunication network. It is a central element that ensures a connection between both internal and external lines. The main purpose of this malware is to compromise the softswitch and steal call metadata from internal MySQL databases, such as IP addresses of the caller, phone numbers, start time and duration of the call, and type and route. MySQL databases are password protected and the key is encrypted at rest in the configuration file. CDRTheif can read and decrypt the password indicating that the author behind the malware has a solid understanding of the platform that they are attacking. The malware delivers information to a Command and Control (C2) server using JSON and HTTP after compressing and encrypting it with a hardcoded RSA-1024 public key. Researchers have not been able to determine how persistence is achieved from the malware, but some of the commands suggest that the malware might be inserted into the boot chain of the platform.

ANALYST NOTES

This malware is likely being used in cyber espionage attempts or for VoIP fraud. The malware is built specifically to steal sensitive data and has no other purpose identified at the time of writing. The malware does not run shell commands or search and steal other files, meaning that the threat actor behind the malware knew exactly what they wanted the malware to do and accomplished it through development. At this point, there is no indication of who was behind the malware.

More can be found here: https://www.bleepingcomputer.com/news/security/new-cdrthief-malware-steals-voip-metadata-from-linux-softswitches/

IOC’s can be found here from ESET: https://www.welivesecurity.com/2020/09/10/who-callin-cdrthief-linux-voip-softswitches/