Quote:A malware dubbed CDRThief is targeting voice over IP (VoIP) softswitches inside the networks of large telecom carriers.
According to ESET researchers, the malware was custom-developed to attack the Linknat VOS2009 and VOS3000 softswitches, which run on standard Linux servers. The code is capable of retrieving private call metadata, including call-detail records (CDRs), which log the call times, duration, completion status, source number and destination number of phone calls flowing through a carrier’s network.
“We can say that the malware’s primary focus is on collecting data from the database,” said ESET researcher Anton Cherepanov, in a blog post issued on Thursday. “Unlike other backdoors, Linux/CDRThief does not have support for shell command execution or exfiltrating specific files from the compromised softswitch’s disk. However, these functions could be introduced in an updated version.”
To steal the metadata, the malware queries the internal MySQL databases used by the softswitches. Data to be exfiltrated from the e_syslog, e_gatewaymapping, and e_cdr tables is compressed and then encrypted with a hardcoded RSA-1024 public key before exfiltration. The malware also encrypts any suspicious-looking strings to hide malicious functionality from basic static analysis, as well as the password from the configuration file. Only the malware authors or operators can decrypt the exfiltrated data.
Read more: https://threatpost.com/cdrthief-malware-...ks/159100/
![[-]](https://www.geeks.fyi/images/collapse.png)
