Researches at ESET analyzed new malware named CDRTheif. The malware targets a specific Voice over IP (VoIP) system to steal Call Data Records (CDR) from telephone equipment. The malware was specifically designed to target a particular Linux VoIP platform, VOS2009/3000 softswitches. A softswitch is a software solution acting as a VoIP server that manages traffic (audio/video/text) in a telecommunication network. It is a central element that ensures a connection between both internal and external lines. The main purpose of this malware is to compromise the softswitch and steal call metadata from internal MySQL databases, such as IP addresses of the caller, phone numbers, start time and duration of the call, and type and route. MySQL databases are password protected and the key is encrypted at rest in the configuration file. CDRTheif can read and decrypt the password indicating that the author behind the malware has a solid understanding of the platform that they are attacking. The malware delivers information to a Command and Control (C2) server using JSON and HTTP after compressing and encrypting it with a hardcoded RSA-1024 public key. Researchers have not been able to determine how persistence is achieved from the malware, but some of the commands suggest that the malware might be inserted into the boot chain of the platform.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in