CDRThief

CDRThief is a peculiar piece of malware discovered by the researchers recently. CDRThief targets Linux-based servers and attempts to collect data from two specific Voice-over-IP (VoIP) software switches. Softswitches are used to connect telephone calls from one phone line to another, either through a telecommunication network or the Internet by software means entirely instead of the more traditional way, relying on purpose-built electronic hardware. 

Although the specific attack vector used to sneak SDRThief onto the targeted systems remains unknown, the threat's post-compromise behavior has been analyzed. CDRThief is designed to extract data from just two Softswitch programs - VOS2009 and VOS3000, developed by the Chinese company Linknat. After being deployed on a system running either one of the Softswitch programs, the malware starts scanning for Linknat configuration files to collect the MySQL database's credentials. Although the password for the database is stored in an encrypted form, CDRThief has the capability to read and decrypt it. This is evidence that the hackers behind the threat have intimate knowledge of the VoIP software sector and the inner workings of Linknat, in particular, because they had to either reverse engineer the binaries of the programs or obtain specific information about the AES encryption algorithm and key by other methods.

After obtaining the credentials successfully, CDRThief connects to the MySQL database and runs SQL queries to collect call record details (VoIP metadata). All collected information is then transmitted to a remote server under the control of the criminals.

The exact purpose of CDRThief remains unknown, but judging by its functionality, the researchers speculate it can be either used for cyber-espionage activities or as part of the International Revenue Share Fraud (IRSF) scheme, which exploits the existence of premium phone numbers to generate monetary gains.