Researchers at FireEye discovered a new backdoor tracked as MessageTap that China-linked APT41 group are using to spy on text messages sent or received
The experts found the MessageTap backdoor installed on a Linux-based Short Message Service Center (SMSC) server belonging to an unnamed telecommunications company. A Short Message Service Center (SMSC) is a network element in the mobile telephone network.
“FireEye Mandiant recently discovered a new malware family used by APT41 (a Chinese APT group) that is designed to monitor and save SMS traffic from specific phone numbers, IMSI numbers and keywords for subsequent theft.” reads the analysis published by FireEye. “Named MESSAGETAP, the tool was deployed by APT41 in a telecommunications network provider in support of Chinese espionage efforts.”
The APT41 has been active since at least 2012, it was involved in both state-sponsored espionage campaigns and financially-motivated attacks since 2014. The group hit entities in several industries, including the gaming, healthcare, high-tech, higher education, telecommunications, and travel services industries.
Unlike other China-based actors, the group used custom malware in cyber espionage operations, experts observed 46 different malware families and tools in APT41 campaigns.
The first file (parm.txt) contains a list of International Mobile Subscriber Identity (IMSI) numbers and a list of phone numbers, the second file (keyword_parm.txt) includes a list of keywords that are read into
If the two files are present on the target machine, their contents are read and XOR decoded with a string containing a URL owned by the European Telecommunications Standards Institute (ETSI) pointing to a document that explains the Short Message Service (SMS) for GSM and UMTS Networks
Once the malware is executed, the configuration files are deleted from the disk, then MESSAGETAP begins monitoring all network connections to and from the server. The spyware uses the “
MessageTap is able to filter messages sent or received by specific phone numbers, containing certain keywords, or with specific IMSI numbers.
SMS messages of interest are saved to CSV files for later theft by the threat actor.
Experts pointed out that the use of unencrypted data
Experts at FireEye Mandiant also found APT41 hackers stealing call detail records (CDR) corresponded to high-ranking foreign individuals.
“In addition to MESSAGETAP SMS theft, FireEye Mandiant also identified the threat actor interacting with call detail record (CDR) databases to query, save and steal records during this same intrusion. The CDR records corresponded to foreign high-ranking individuals of interest to the Chinese intelligence services.” concludes the analysis. “Targeting CDR information provides a high-level overview of phone calls between individuals, including time, duration, and phone numbers. In contrast, MESSAGETAP captures the contents of specific text messages.
Experts have no doubts, hackers will continue to target telecommunications companies for cyber espionage campaigns.