‘CDRThief’ Malware Targets Linknat Softswitches

ESET security researchers have discovered a new piece of malware that specifically targets softswitches from Linknat.

A VoIP solutions provider from China, Linknat offers software switches (delivering control, billing, and management for VoIP networks) to operators, virtual operators and large industrial organizations. The company was established in 2005.

ESET on Thursday published information on CDRThief, a piece of malware designed specifically to target the Linknat VOS2009 and VOS3000 softswitches, which run on standard Linux servers. Once it manages to compromise a target system, the malware attempts to exfiltrate call detail records (CDR), including IP addresses, call duration, calling fee, and more.

The malware’s ELF binary was compiled using a Go compiler and had all of its suspicious-looking strings encrypted. CDRThief was designed to read credentials from the configuration files of the targeted softswitches, which allow it to access internal data stored in the MySQL databases.

Although the password from the config file is encrypted, the malware manages to decrypt it, which shows that the attackers have good knowledge of the targeted platform. Most likely they reverse engineered platform binaries or managed to somehow gather information on the AES encryption algorithm and key that Linknat uses.

“To steal this metadata, the malware queries internal MySQL databases used by the softswitch. Thus, attackers demonstrate a good understanding of the internal architecture of the targeted platform,” ESET says.

CDRThief contains multiple functions for command and control (C&C) communication, and exfiltrates data through SQL queries that are executed directly to the MySQL database.

ESET’s security researchers noticed that the malware is mainly interested in three tables in the database, which contain a log of system events, information about VoIP gateways, and call data records, respectively.

The malware compresses the data selected for exfiltration, then encrypts it with a hardcoded RSA-1024 public key.

“Based on the described functionality, we can say that the malware’s primary focus is on collecting data from the database. Unlike other backdoors, Linux/CDRThief does not have support for shell command execution or exfiltrating specific files from the compromised softswitch’s disk. However, these functions could be introduced in an updated version,” ESET notes.

The researchers also reveal that the malware can be deployed to disk using arbitrary file names and that the employed persistence mechanism and infection vectors haven’t been identified yet. However, they suggest that a brute-force attack might be used and say they did observe the malware attempting to launch a legitimate binary usually present on the softswitches.

“This suggests that the malicious binary might somehow be inserted into a regular boot chain of the platform in order to achieve persistence and possibly masquerading as a component of the Linknat softswitch software,” ESET notes.

Related: FBI, NSA Share Details on New ‘Drovorub’ Linux Malware Used by Russia

Related: Kinsing Linux Malware Deploys Crypto-Miner in Container Environments

Related: New ‘Kaiji’ Botnet Attacks Linux, IoT Devices via SSH Brute Force