Go to listing page

New CDRThief Malware Aims to Steal Your VoIP Call Detail Records

New CDRThief Malware Aims to Steal Your VoIP Call Detail Records
Bad actors have been increasingly targeting Linux-based systems that are used to host a wide range of business applications. Recently, another new malware has been identified targeting the critical Voice over IP (VoIP) call metadata stored on Linux-based servers.

What has been discovered?

Dubbed CDRThief, the rare Linux malware targets VoIP softswitches, the software solution that ensures the connection between internal and external lines.
  • Primarily, the malware attempts to steal metadata from compromised softswitch, including sensitive data such as Call Detail Records (CDRs).
  • CDRThief targets two specific softswitch programs, namely VOS2009 and VOS3000, that are developed by the Chinese company Linknat.

Additional insights

Further analysis of the malware disclosed that the developers have a deep knowledge of the internal workings of the targeted products.
  • To steal data, the malware queries the MySQL databases used by the softswitch, which requires knowledge of the internal database schemas.
  • The malware is capable of reading the configuration files that store the encrypted passwords for the built-in MySQL database, indicating the at-par skillset of these threat actors.

Recent attacks on Linux-based systems

In recent months, several threat actors and malware have attempted to target Linux-based applications or systems.
  • In August 2020, Lemon_Duck cryptomining malware and Lucifer cryptominer were updated to target Linux devices.
  • In mid-August, five different Chinese APT groups were found using the same combination of Linux rootkit and backdoors, all linked to the Winnti group.
  • Around the same time, the Russian state-linked hacking group Fancy Bear was found using Drovorub, a highly-capable malware designed to infect Linux systems, for its cyberespionage operations.

In conclusion

A good portion of enterprise infrastructure, for instance, the web servers operated by tech giants like Google, Facebook, and Amazon, are hosted on Linux. Thus, it is very safe to say that attackers will continue to put their efforts towards the development of new tools and techniques to tamper with Linux-based infrastructure for a greater return on investment. This is certainly a matter of concern for businesses that rely on Linux systems for their strong Unix-like security promise.

Cyware Publisher