Researchers at ESET cybersecurity have found a new Linux malware, that’s stealing call data from VoIP Softswitch systems. Though researchers didn’t find how it’s able to infect them and gathering just call metadata, they warned that it could be developed later to steal documents or other sensitive data.
Malware Stealing Data from Linux based VoIP Softswitches
VoIP Softswitch is a system that is a telecommunications management system that manages calls like voice, video, fax call routing, etc. Since they mostly run on Linux based servers, a malware spotted by researchers at ESET cybersecurity firm is specifically targetting those Softswitches.
They say the Softswitches based on Linux servers and belonging to a Chinese vendor called Linknat are being targeted. Models Linknat VOS2009 and 3000 soft switches are targeted by attackers somehow and install their malware. Researchers named this CDRThief since it steals the Call Details Records of a target.
Researchers say that the authors of this malware have been experts enough to understand the complete VoIP architecture, thereby reverse engineering to learn the encryption process and retrieve the AES key and decrypt the MySQL database where all call details are stored.
They start by searching for the configuration files of target Softswitch from the directories, to access the MySQL database. The details the malware steals as per researchers are the caller ID (caller and receiver) their IP address, call duration, call starting, and ending time. These metadata can give a glance at the target’s phone call with a certain person.
The authors of this CDRThief were also clever enough to encrypt their stolen data from the MySQL database to their form, thereby evading detection from static malware scans and also letting only the actual malware authors see the data.
Though the actual invention and how they’re attacking these Softswitches aren’t know yet, researchers warn they could develop to steal more sensitive data in the future.