ESET security researchers have discovered a new piece of malware that specifically targets softswitches from Linknat.
A VoIP solutions provider from China, Linknat offers software switches (delivering control, billing, and management for VoIP networks) to operators, virtual operators and large industrial organizations. The company was established in 2005.
ESET on Thursday published information on CDRThief, a piece of malware designed specifically to target the Linknat VOS2009 and VOS3000 softswitches, which run on standard Linux servers. Once it manages to compromise a target system, the malware attempts to exfiltrate call detail records (CDR), including IP addresses, call duration, calling fee, and more.
The malware’s ELF binary was compiled using a Go compiler and had all of its suspicious-looking strings encrypted. CDRThief was designed to read credentials from the configuration files of the targeted softswitches, which allow it to access internal data stored in the MySQL databases.
Although the password from the config file is encrypted, the malware manages to decrypt it, which shows that the attackers have good knowledge of the targeted platform. Most likely they reverse engineered platform binaries or managed to somehow gather information on the AES encryption algorithm and key that Linknat uses.
“To steal this metadata, the malware queries internal MySQL databases used by the softswitch. Thus, attackers demonstrate a good understanding of the internal architecture of the targeted platform,” ESET says.
CDRThief contains multiple functions for command and control (C&C) communication, and exfiltrates data through SQL queries that are executed directly to the MySQL database.
ESET’s security researchers noticed that the malware is mainly interested in three tables in the database, which contain a log of system events, information about Vo ..
Support the originator by clicking the read the rest link below.
