A new VoIP softswitches Malware named CDRThief suspected to steal call details metadata


A new VoIP(Voice over IP) softswitches Malware named CDRThief detected for stealing call details metadata from two very specific softswitches: Linknat VOS2009 and VOS3000

A new report from Slovak cyber-security firm ESET says that the security researchers have discovered a very rare piece of Linux malware that targets Voice-over-IP (VoIP) telephony switches for stealing call details. The malware is dubbed as CDRThief is said to be specifically designed to attack a VoIP platform used by two China-made softswitches called Linknat VOS2009 and VOS3000.

In today’s market, most networks are comprised of a variety of combinations of telephony switches and hardware. One of those elements is a Softswitch, which also acts as a VoIP server allowing for telecommunication networks to provide management of voice, fax, data and video traffic, and call routing. VoIP softswitches can be subdivided into class 4 and class 5 softswitches. A Softswitch is a core element of a VoIP network that provides call control, billing, and management. These softswitches are software-based solutions that run on standard Linux servers.

According to ESET, the primary goal of the malware is to exfiltrate various private data from a compromised Softswitch, including call detail records (CDR). CDRs contain metadata about VoIP calls such as caller and callee IP addresses, starting time of the call, call duration, calling fee, etc.

Based on the reports it was known that once the malware was able to run on a Linux server running Linknat VOS2009 or VOS3000, it searches for the Linknat configuration files and extracts credentials for the built-in MySQL database, where the Softswitch stores call detail records (CDR, aka VoIP, calls metadata).

We speculate that attackers might obtain access to the device using a brute-force attack or by exploiting a vulnerability. Such vulnerabilities in VOS2009/VOS3000 have been reported publicly in the past

ESET researcher

Going further on the research, it was known that the password that was stolen from the configuration file is stored encrypted. But it was clear that the threat actor operating CDRThief malware was still able to read and decrypt it.

Looking upon this the researcher described that “the attackers demonstrate deep knowledge of the targeted platform since the algorithm and encryption keys used are not documented as far as we can tell. It means that the attackers had to reverse engineer platform binaries or otherwise obtain information about the AES encryption algorithm and key used in the Linknat code.”

In the end, it was discovered that after the process of stealing the passwords and decrypting it the malware connects to the MySQL database and runs SQL queries to gather CDR metadata, which is later uploaded to a remote server.

However, the operators of the CDRTheif malware are not yet known also the researchers mentioned that these types of VoIP attacks are quite rare. Since this malware exfiltrates sensitive information, including call metadata, it seems reasonable to assume that the malware is used for cyberespionage.

For more news on tech and cybersecurity stay tuned on Android Rookies by following us on Google News.


About Author

Be Ready for the challenge

Notify of
Inline Feedbacks
View all comments