APT41 (China): Malware that collects targeted text messages and call logs, which is attributed to a threat actor group believed to be sponsored by the government of China, was discovered during an incident response at a telecommunications service provider and publicly reported by FireEye yesterday. The malware was found to be running on Linux servers that are responsible for handling text messages, and it used a list of specific phone numbers and International Mobile Subscriber Identifiers (IMSI) numbers to target the text messages and call log records from particular subscribers’ phones. The malware also used a list of keywords that are of geo-political interest to Chinese intelligence services. The contents of text messages that pass through the affected servers are collected by the malware if the message was sent to or from any of the targeted phones, or if any message contains any of the keywords, regardless of the sender. In addition to stealing text messages, the malware also collects records of voice calls involving the targeted phone subscribers, but not actual recordings of the conversations. The attack was attributed by FireEye to APT41, a threat actor group that has been operating since at least 2012, and has allegedly been involved in computer intrusions that support espionage missions as well as financially-motivated attacks targeting healthcare, telecommunications, technology and video game companies.
A less-capable version of the malware described in FireEye’s report can be found on VirusTotal by searching for the following MD5 hash:
File name: mtlserver
MD5 hash: 8D3B3D5B68A1D08485773D70C186D877