MESSAGETAP Description

The Chinese hacking group known as APT41 (Advanced Persistent Threat) has been spotted using a sophisticated hacking tool called MESSAGETAP. The first activity of the MESSAGETAP malware was spotted at the beginning of 2019. When the APT41 does not carry out financially-motivated campaigns, this hacking group serves as an attack dog for the Chinese government. They are known to have targeted organizations and individuals who are considered to be on interest to Beijing's officials.

Looks for Specific Text Strings and Targeted Individuals

The MESSAGETAP threat compromises telecommunication companies and targets SMS messages. This hacking tool was programmed to either target specific individuals or look for certain strings of text and keywords, which may be present in the intercepted text messages. The deployment of the MESSAGETAP malware is carried out on Linux servers. These servers are used as SMSC (Short Message Service Centers), which is the infrastructure involved in receiving and delivering text messages. When the MESSAGETAP malware compromises a host successfully, it will look for the 'keyword_parm.txt' and the 'parm.txt' files. The former holds a list of keywords that the MESSAGETAP malware is meant to look for in the intercepted text messages. The latter file, however, contains a list of IMSI (International Mobile Subscriber Identity) numbers, which are unique for each registered user's SIM card and can be used to identify individuals who were targeted for the espionage campaign of the APT41.

The Collected Data is Transferred to the APT41 Server Periodically

When both files have been planted in the memory of the target, alongside the code of the MESSAGETAP malware, this threat will make sure to reduce the fingerprint of its threatening activities by erasing its files. Next, the MESSAGETAP hacking tool will proceed with the attack by looking for the text strings it was programmed to sniff out, and the text messages that fit the criteria will be collected in a list. The MESSAGETAP malware also will gather the text messages of the specific IMSI numbers and store them in another list. The data from both lists is then periodically transferred to the attackers' server. It is likely that the APT41 is using the MESSAGETAP hacking tool to compromise political organizations, government bodies, and military institutions, which are considered of relevance to Chinese interests globally.

Malware experts are not certain how the APT41 is capable of infiltrating telecommunications providers, but it is clear that the Chinese government does not hesitate to use the services of cybercriminals to advance their interests. It has been speculated that the MESSAGETAP hacking tool may be used in operations countering the Hong Kong protests and is likely utilized in following the activities of prominent figures involved in the anti-Beijing rallies.