APT41 (China): Malware that collects targeted text messages and call logs, which is attributed to a threat actor group believed to be sponsored by the government of China, was discovered during an incident response at a telecommunications service provider and publicly reported by FireEye yesterday. The malware was found to be running on Linux servers that are responsible for handling text messages, and it used a list of specific phone numbers and International Mobile Subscriber Identifiers (IMSI) numbers to target the text messages and call log records from particular subscribers’ phones. The malware also used a list of keywords that are of geo-political interest to Chinese intelligence services. The contents of text messages that pass through the affected servers are collected by the malware if the message was sent to or from any of the targeted phones, or if any message contains any of the keywords, regardless of the sender. In addition to stealing text messages, the malware also collects records of voice calls involving the targeted phone subscribers, but not actual recordings of the conversations. The attack was attributed by FireEye to APT41, a threat actor group that has been operating since at least 2012, and has allegedly been involved in computer intrusions that support espionage missions as well as financially-motivated attacks targeting healthcare, telecommunications, technology and video game companies.
A less-capable version of the malware described in FireEye’s report can be found on VirusTotal by searching for the following MD5 hash:
File name: mtlserver
MD5 hash: 8D3B3D5B68A1D08485773D70C186D877
Analyst Notes
Text messages and calls made through telecommunications providers are not encrypted and could be subject to lawful interception by government agencies with court authorization, or by unauthorized attackers through computer intrusion and exploitation operations. Messaging applications that support end-to-end encryption offer better protection from interception, although any communication through a mobile phone can never be considered completely safe from those who wish to intercept them, especially if the messages are stored on the mobile device in an unencrypted database for long periods of time. Meta-data such as call records and text message delivery records that show evidence of communication between two parties is much less protected and may be possible for attackers to intercept, regardless of the method used to communicate. This report illustrates that the government of China continues to conduct intelligence-gathering operations targeting telecommunications service providers, as do the intelligence services of many other governments.
