New CDRThief Linux Malware Steals Call Details from VoIP Softswitch Systems


A new kind of Linux malware dubbed “CDRThief” has been discovered by Cybersecurity researchers that target voice over IP (VoIP) Softswitches in an attempt to steal your VoIP call detail records.

“The primary goal of the malware is to exfiltrate various private data from a compromised Softswitch, including call detail records (CDR),” ESET researchers said in a Thursday analysis. CDRThief targets two specific Softswitch programs, namely VOS2009 and VOS3000, that are developed by the Chinese company Linknat.

To steal data, the malware queries the MySQL databases used by the Softswitch, which requires knowledge of the internal database schemas. The malware is capable of reading the configuration files that store the encrypted passwords for the built-in MySQL database, indicating the at-par skillset of these threat actors.

“Data to be exfiltrated from the e_syslog, e_gatewaymapping, and e_cdr tables is compressed and then encrypted with a hardcoded RSA-1024 public key before exfiltration. Thus, only the malware authors or operators can decrypt the exfiltrated data,” ESET said.

ESET’s Anton Cherepanov said, “At the time of writing we do not know how the malware is deployed onto compromised devices. We speculate that attackers might obtain access to the device using a brute-force attack or by exploiting a vulnerability.”

It seems reasonable to assume that the malware is used for cyberespionage. Another possible goal for attackers using this malware is VoIP fraud. Since the attackers obtain information about the activity of VoIP Softswitches and their gateways, this information could be used to perform International Revenue Share Fraud (IRSF).


Please enter your comment!
Please enter your name here