Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

‘CDRThief’ Malware Targets Linknat Softswitches

ESET security researchers have discovered a new piece of malware that specifically targets softswitches from Linknat.

ESET security researchers have discovered a new piece of malware that specifically targets softswitches from Linknat.

A VoIP solutions provider from China, Linknat offers software switches (delivering control, billing, and management for VoIP networks) to operators, virtual operators and large industrial organizations. The company was established in 2005.

ESET on Thursday published information on CDRThief, a piece of malware designed specifically to target the Linknat VOS2009 and VOS3000 softswitches, which run on standard Linux servers. Once it manages to compromise a target system, the malware attempts to exfiltrate call detail records (CDR), including IP addresses, call duration, calling fee, and more.

The malware’s ELF binary was compiled using a Go compiler and had all of its suspicious-looking strings encrypted. CDRThief was designed to read credentials from the configuration files of the targeted softswitches, which allow it to access internal data stored in the MySQL databases.

Although the password from the config file is encrypted, the malware manages to decrypt it, which shows that the attackers have good knowledge of the targeted platform. Most likely they reverse engineered platform binaries or managed to somehow gather information on the AES encryption algorithm and key that Linknat uses.

“To steal this metadata, the malware queries internal MySQL databases used by the softswitch. Thus, attackers demonstrate a good understanding of the internal architecture of the targeted platform,” ESET says.

CDRThief contains multiple functions for command and control (C&C) communication, and exfiltrates data through SQL queries that are executed directly to the MySQL database.

ESET’s security researchers noticed that the malware is mainly interested in three tables in the database, which contain a log of system events, information about VoIP gateways, and call data records, respectively.

The malware compresses the data selected for exfiltration, then encrypts it with a hardcoded RSA-1024 public key.

“Based on the described functionality, we can say that the malware’s primary focus is on collecting data from the database. Unlike other backdoors, Linux/CDRThief does not have support for shell command execution or exfiltrating specific files from the compromised softswitch’s disk. However, these functions could be introduced in an updated version,” ESET notes.

The researchers also reveal that the malware can be deployed to disk using arbitrary file names and that the employed persistence mechanism and infection vectors haven’t been identified yet. However, they suggest that a brute-force attack might be used and say they did observe the malware attempting to launch a legitimate binary usually present on the softswitches.

“This suggests that the malicious binary might somehow be inserted into a regular boot chain of the platform in order to achieve persistence and possibly masquerading as a component of the Linknat softswitch software,” ESET notes.

Related: FBI, NSA Share Details on New ‘Drovorub’ Linux Malware Used by Russia

Related: Kinsing Linux Malware Deploys Crypto-Miner in Container Environments

Related: New ‘Kaiji’ Botnet Attacks Linux, IoT Devices via SSH Brute Force

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...