Linux Malware Targets VoIP Networks to Steal Metadata'CDRThief' Malware Appears Designed for Espionage or Fraud
A recently uncovered Linux malware variant dubbed "CDRThief" is targeting VoIP networks to steal phone metadata, such as IP addresses, according to an analysis from the security firm ESET.
The origins of CDRThief are unknown, but ESET suspects the malware may be designed for cyberespionage because it can sweep up phone call metadata.
The malicious code might also be used for a type of phone scam called International Revenue Share Fraud, which allows fraudsters to run up a huge phone bill for victims by making calls to premium numbers, according to the report. By taking over an organization's phone network, hackers can place hundreds of calls to these premium numbers and take a cut of the profits, with one study noting these schemes can cost businesses up to $4 billion in yearly losses.
"It’s hard to know the ultimate goal of attackers who use this malware,” Anton Cherepanov, an ESET researcher, notes in the report. “However, since it exfiltrates sensitive information, including call metadata, it seems reasonable to assume that the malware is used for cyberespionage. Another possible goal for attackers using this malware is VoIP fraud."
Cherepanov says it’s difficult for researchers to determine if the ongoing CDRThief malware campaign is widespread. But most of the activity seems to be in Asia.
"Usually targeted [VoIP] devices don't have any security software installed, so it’s hard to say how many compromised devices are out there," Cherepanov tells Information Security Media Group.
How CDRThief Works
The malware targets VoIP softswitches that run off of Linux-based servers, ESET reports. A softswitch is software central to telecom networks that connects calls from one phone line to another - either across the network or through the internet.
In this campaign, the malware is only targeting two types of VoIP softswitch platforms made by Chinese firm Linknat – VOS2009 and VOS3000.
It's unclear how the malware initially infects these VOIP systems, but it might be possible for the attackers to use a brute-force attack or exploit vulnerabilities in the platforms developed by Linknat, according to the ESET report. "Such vulnerabilities in VOS2009/VOS3000 have been reported publicly in the past," Cherepanov notes.
Once inside the targeted network, CDRThief exfiltrates VoIP data by accessing the internal data stored in the network’s MySQL database, according to ESET.
The malware then reads credentials from the Linknat VOS2009 and VOS3000 configuration files and queries the MySQL databases used by the Linknat to access the metadata, such as IP addresses of callers and recipients, starting time of the call, call duration and calling fees, the report notes.
Unlike other Linux malware, CDRThief is designed to only exfiltrate data; it does not have support for features, such as shell command execution or exfiltrating specific files. This leads Cherepanov to believe malware is still under development.
Although malware campaigns attempting to steal VoIP data are relatively rare, attackers have been known to use advanced social engineering to enable espionage using VoIP data.
In 2016, an independent security researcher warned many VoIP devices built by Cisco and Snom could be easily exploited (see: VoIP Phones: Eavesdropping Alert).
In May 2019, Facebook warned users of its WhatsApp messaging app to immediately fix a buffer overflow vulnerability in its VoIP stack that was being used to remotely install surveillance software (see: Attackers Exploit WhatsApp Flaw to Auto-Install Spyware).