CDRThief Linux malware steals VoIP metadata from Linux softswitches

Pierluigi Paganini September 10, 2020

ESET researchers discovered a new piece of malware dubbed CDRThief targets a specific Voice over IP system to steal call data records (CDR).

Security experts from ESET discovered a new piece of malware, tracked as CDRThief, that targets the Linux VoIP platform, Linknat VOS2009/3000 softswitches, to steal call data records (CDR) from telephone exchange equipment.

The VoIP platform Linknat VOS2009 and VOS3000 targeted by the malware is used by two China-produced softswitches (software switches).

A softswitch is a software-based component of a VoIP network that provides call control, billing, and management features, it runs on standard Linux servers.

CDRThief specifically targets internal MySQL databases running in the devices to steal call metadata, including IP addresses of the callers, phone numbers, start time and duration of the call, call route, and call type.

“The primary goal of the malware is to exfiltrate various private data from a compromised softswitch, including call detail records (CDR). CDRs contain metadata about VoIP calls such as caller and callee IP addresses, starting time of the call, call duration, calling fee, etc.” reads the analysis published by ESET.

“To steal this metadata, the malware queries internal MySQL databases used by the Softswitch.”

According to the experts, the attackers have good knowledge about the internal architecture of the targeted platform.

The ELF binary of this Linux malware was created with the Go compiler using the debug symbols left unmodified.

To avoid detection of malicious functionalities, the authors encrypted all suspicious-looking strings with the Corrected Block TEA (XXTEA) cipher and then running Base64 encoding.

To access the internal MySQL database, the malware reads credentials from Linknat VOS2009 and VOS3000 configuration files.

“Interestingly, the password from the configuration file is stored encrypted. However, Linux/CDRThief malware is still able to read and decrypt it. Thus, the attackers demonstrate deep knowledge of the targeted platform, since the algorithm and encryption keys used are not documented as far as we can tell.” continues the analysis.

ESET researchers believe the author of the CDRThief malware had to reverse engineer platform binaries to analyzed the encryption process and retrieve the AES key used to decrypts the database password.

The analysis of the source code of the malware revealed that it access tables in the DB that contain logs of system events, information about VoIP gateways, and call metadata.

The malware exfiltrates the data using JSON over HTTP after compressing and encrypting it with a hardcoded RSA-1024 public key.

Experts noticed other unlike other Linux backdoors, CDRThief does not support shell command execution and cannot exfiltrate specific files from the compromised equipment. We cannot exclude that future versions of the malware will include these features too.

The CDRThief can start from any location on the disk, using any file name. Once deployed, the malware tries to start a legitimate binary from the Linknat VOS2009/3000 platform:

exec -a '/home/kunshi/callservice/bin/callservice -r


At the time, experts were not able to provide info about the persistence mechanism implemented by the malware. Researchers speculate that malware might be inserted into the boot chain of the platform, likely masquerading it as a legitimate binary dubbed Linknat.

“However, since this malware exfiltrates sensitive information, including call metadata, it seems reasonable to assume that the malware is used for cyberespionage.” concludes the analysis. “Another possible goal for attackers using this malware is VoIP fraud. Since the attackers obtain information about activity of VoIP softswitches and their gateways, this information could be used to perform International Revenue Share Fraud (IRSF).”

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, CDRThief)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment