New CDRThief Malware Targets VoIP Softswitches and Gateways

By

A rare type of Linux malware that targets VoIP telephony switches to steal metadata from call details has been discovered. ESET, a cybersecurity firm from Slovakia, said the CDRThief malware is designed to target two softswitches produced in China, the Linknat VOS2009 and VOS3000.

CDRThief works by querying internal MySQL databases used by the softswitches to gain an understanding of the VoIP platform architecture. The malware then exfiltrates private data from the switch, including call detail records (CDRs), which contain information about caller and recipient IP addresses, call duration, fee and starting time of the call.

"Based on the described functionality, we can say that the malware’s primary focus is on collecting data from the database," wrote Anton Cherepanov, senior malware researcher at ESET. "The malware can be deployed to any location on the disk under any file name."

"At the time of writing we do not know how the malware is deployed onto compromised devices," he added. "We speculate that attackers might obtain access to the device using a brute-force attack or by exploiting a vulnerability. Such vulnerabilities in VOS2009/VOS3000 have been reported publicly in the past."

ESET said it's difficult to determine the ultimate goal of attackers using CDRThief. They conclude that since the malware is designed to steal sensitive information like call metadata, it is most likely being used for cyberespionage or VoIP fraud.

And since attackers focus on stealing information on VoIP softswitch and gateway activity, the data may be used to perform International Revenue Share Fraud (IRSF). That scheme involves premium phone numbers, which are typically used to support automatic, phone-based purchases. Those numbers are offered by International Premium Rate Number (IPRN) providers, which charge telephone companies a high fee to relay calls on those numbers. Those costs are passed down to customers through monthly invoices or real-time phone crediting systems. Companies renting the premium numbers also get a cut of the profits for driving callers to that number.

Many unscrupulous IPRNs have realized they can drive more traffic, and profits, by enabling spammers and criminal groups to abuse their networks. The result is IRSF schemes, which have become increasingly popular and are difficult to detect. Malware is one of the most common gateways to this type of scheme.




Edited by Maurice Nagle

TechZone360 Contributing Editor

SHARE THIS ARTICLE
Related Articles

IKIN Brings Hands-on Holographic Content Development Experience to Developers at ITEXPO

By: Erik Linask    6/10/2021

IKIN is giving developers a chance to learn first-hand how to create 3D holographic content at IKIN University at ITEXPO.

Read More

IKIN University, RYZ SDK Open Door to 3D World

By: Maurice Nagle    6/9/2021

Recently IKIN CMO Michael D'Arminio and EVP, Marketing Cody Oakland dished on how IKIN is deploying imagination - no, seriously. The IKIN RYZ SDK empo…

Read More

How to build a website in 6 steps!

By: Special Guest    6/9/2021

Creating a new website is not as easy as it seems. Because it involves designing and coding a website. If you don't know how to do things like that, i…

Read More

Setting Up a Home Office: The Dos and Don'ts

By: Special Guest    6/8/2021

The ongoing pandemic has forced many Americans to readjust in many ways, including shifting to remote work. Working from a home office no longer raise…

Read More

6 Ways Technology is Changing the Investing Landscape

By: Special Guest    6/8/2021

COVID-19 has changed the world of investing for good. In fact, 25% of investors are now considered "retail", which represents an all-time high. Tec…

Read More