Security researchers from cybersecurity firm ESET uncovered a new kind of Linux malware variant targeting Voice-over-IP (VoIP) telephony softswitches. The malware dubbed as “CDRThief” is programmed to compromise specific softswitches – Linknat VOS2009 and VOS3000–and exfiltrate private data like call records that contain metadata about VoIP calls, including caller and IP addresses of call recipients, call timing, and call duration. Softswitches are software-based solutions that run on Linux servers. These are core elements in a VoIP network that provide call control, billing, and management.
How CDRThief Malware Spreads
To pilfer the call metadata, CDRThief malware queries MySQL databases used by the softswitch. The malware authors encrypt all suspicious-looking strings with XXTEA and the key fhu84ygf8643 to hide its malicious capabilities. The malware then reads credentials from Linknat VOS2009 and VOS3000 configuration files and obtains access to the data stored in the MySQL database. CDRThief also uses multiple functions to communicate with C&C servers.
“We can say that the malware’s primary focus is on collecting data from the database. Unlike other backdoors, Linux/CDRThief does not have support for shell command execution or exfiltrating specific files from the compromised softswitch’s disk. However, these functions could be introduced in an updated version. The malware can be deployed to any location on the disk under any file name. It is unknown what type of persistence is used for starting the malicious binary at each boot. However, it should be noted that once the malware is started, it attempts to launch a legitimate binary present on the Linknat VOS2009/VOS3000 platform,” the researchers said.
While the goal of this malware’s creators is unknown, the researchers stated the CDRThief malware is primarily used for cyber espionage. “Another possible goal for attackers using this malware is VoIP fraud. Since the attackers obtain information about activity of VoIP softswitches and their gateways, this information could be used to perform International Revenue Share Fraud (IRSF),” the researchers added.