# Who is calling? CDRThief targets Linux VoIP softswitches

**[welivesecurity.com/2020/09/10/who-callin-cdrthief-linux-voip-softswitches/](https://www.welivesecurity.com/2020/09/10/who-callin-cdrthief-linux-voip-softswitches/)**

September 10, 2020

ESET researchers have discovered and analyzed malware that targets Voice over IP (VoIP)
softswitches

[Anton Cherepanov](https://www.welivesecurity.com/author/acherepanov/)
10 Sep 2020 - 11:30AM

ESET researchers have discovered and analyzed malware that targets Voice over IP (VoIP)
softswitches

This new malware that we have discovered and named CDRThief is designed to target a very specific
VoIP platform, used by two China-produced softswitches (software switches): Linknat VOS2009 and
VOS3000. A softswitch is a core element of a VoIP network that provides call control, billing, and
management. These softswitches are software-based solutions that run on standard Linux servers.


-----

The primary goal of the malware is to exfiltrate various private data from a compromised softswitch,
[including call detail records (CDR). CDRs contain metadata about VoIP calls such as caller and callee](https://en.wikipedia.org/wiki/Call_detail_record)
IP addresses, starting time of the call, call duration, calling fee, etc.

To steal this metadata, the malware queries internal MySQL databases used by the softswitch. Thus,
attackers demonstrate a good understanding of the internal architecture of the targeted platform.

## Linux/CDRThief analysis

We noticed this malware in one of our sample sharing feeds, and as entirely new Linux malware is a
rarity, it caught our attention. What was even more interesting was that it quickly became apparent that
this malware targeted a specific Linux VoIP platform. Its ELF binary was produced by the Go compiler
with the debug symbols left unmodified, which is always helpful for the analysis.

To hide malicious functionality from basic static analysis, the authors encrypted all suspicious-looking
[strings with XXTEA and the key fhu84ygf8643, and then base64 encoded them. Figure 1 shows some](https://github.com/xxtea/xxtea-go)
of the code the malware uses to decrypt these strings at runtime.


-----

_Figure 1. The routine used to decrypt the binary’s strings_

To access internal data stored in the MySQL database, the malware reads credentials from Linknat
VOS2009 and VOS3000 configuration files that it attempts to locate in the following paths:

/usr/kunshi/vos2009/server/etc/server_db_config.xml
/usr/kunshi/vos3000/server/etc/server_db_config.xml
/home/kunshi/vos2009/server/etc/server_db_config.xml
/home/kunshi/vos3000/server/etc/server_db_config.xml
/home/kunshi/vos2009/etc/server_db_config.xml
/home/kunshi/vos3000/etc/server_db_config.xml
/usr/kunshi/vos2009/server/etc/serverdbconfig.xml
/usr/kunshi/vos3000/server/etc/serverdbconfig.xml


-----

Interestingly, the password from the configuration file is stored encrypted. However, Linux/CDRThief
malware is still able to read and decrypt it. Thus, the attackers demonstrate deep knowledge of the
targeted platform, since the algorithm and encryption keys used are not documented as far as we can
tell. It means that the attackers had to reverse engineer platform binaries or otherwise obtain
information about the AES encryption algorithm and key used in the Linknat code.

As seen in Figure 2, CDRThief communicates with C&C servers using JSON over HTTP.

_Figure 2. Captured network communication of the Linux/CDRThief malware_

There are multiple functions in Linux/CDRThief’s code used for communication with C&C servers.
Table 1 contains the original names of these functions used by the malware authors.

_Table 1. Functions used for communication with C&C_


-----

**Function name** **C&C path** **Purpose**

main.pingNet /dataswop/a Checks if C&C is
alive

main.getToken /dataswop/API/b Obtains token

main.heartbeat /dataswop/API/gojvxs Main C&C loop,
called every three
minutes

main.baseInfo /dataswop/API/gojvxs Exfiltrates basic
information about
compromised
Linknat system:

-    MAC address

-    cat /proc/version

-    whoami

-    cat /etc/redhat-release

-    UUID from
/bin/ibus_10.mo (or /
home/kunshi/base/ibus_10.mo )

main.upVersion /dataswop/Download/updateGoGoGoGoGo Updates itself to
the latest version

main.pushLog /dataswop/API/gojvxs Uploads malware
error log

main.load /dataswop/API/gojvxs Exfiltrates various
information about
the platform:

-    SELECT
SUM(TABLE_ROWS) FROM
information_schema.TABLES
WHERE table_name LIKE
'e_cdr_%'

-    cat /etc/motd

-    username, encrypted
password, IP address of the
database

-    ACCESS_UUID from
server.conf

-    VOS software version

main.syslogCall /dataswop/API/gojvxs Exfiltrates data
from e_syslog
tables


-----

**Function name** **C&C path** **Purpose**

main.gatewaymapping /dataswop/API/gojvxs Exfiltrates data
from
e_gatewaymapping
tables

main.cdr /dataswop/API/gojvxs Exfiltrates data
from e_cdr tables

In order to exfiltrate data from the platform, Linux/CDRThief executes SQL queries directly to the
MySQL database. Mainly, the malware is interested in three tables:

e_syslog – contains log of system events
e_gatewaymapping – contains information about VoIP gateways (see Figure 3)
e_cdr – contains call data records (metadata of calls)

_Figure 3. Disassembled code of the function that initializes an SQL query_


-----

Data to be exfiltrated from the e_syslog, e_gatewaymapping, and e_cdr tables is compressed and then
encrypted with a hardcoded RSA-1024 public key before exfiltration. Thus, only the malware authors
or operators can decrypt the exfiltrated data.

Based on the described functionality, we can say that the malware’s primary focus is on collecting data
from the database. Unlike other backdoors, Linux/CDRThief does not have support for shell command
execution or exfiltrating specific files from the compromised softswitch’s disk. However, these functions
could be introduced in an updated version.

The malware can be deployed to any location on the disk under any file name. It’s unknown what type
of persistence is used for starting the malicious binary at each boot. However, it should be noted that
once the malware is started, it attempts to launch a legitimate binary present on the Linknat
VOS2009/VOS3000 platform using the following command:

exec -a ‘/home/kunshi/callservice/bin/callservice -r /home/kunshi/.run/callservice.pid’

This suggests that the malicious binary might somehow be inserted into a regular boot chain of the
platform in order to achieve persistence and possibly masquerading as a component of the Linknat
softswitch software.

At the time of writing we do not know how the malware is deployed onto compromised devices. We
speculate that attackers might obtain access to the device using a brute-force attack or by exploiting a
vulnerability. Such vulnerabilities in VOS2009/VOS3000 have been reported publicly in the past.

## Conclusion

We analyzed Linux/CDRThief malware, which has a unique purpose to target specific VoIP
softswitches. We rarely see VoIP softswitches targeted by threat actors; this makes the
Linux/CDRThief malware interesting.

It’s hard to know the ultimate goal of attackers who use this malware. However, since this malware
exfiltrates sensitive information, including call metadata, it seems reasonable to assume that the
malware is used for cyberespionage. Another possible goal for attackers using this malware is VoIP
fraud. Since the attackers obtain information about activity of VoIP softswitches and their gateways,
[this information could be used to perform International Revenue Share Fraud (IRSF).](https://www.zdnet.com/article/phone-fraudsters-are-stealing-billions-each-year-through-a-scheme-known-as-irsf/)

_For any inquiries, or to make sample submissions related to the subject, contact us at_
_threatintel@eset.com._

## Indicators of Compromise

### ESET detection name

Linux/CDRThief.A

### File based mutexes

/dev/shm/.bin

/dev/shm/.linux


-----

### Files created during malware update

/dev/shm/callservice

/dev/shm/sys.png

### Hashes

CC373D633A16817F7D21372C56955923C9DDA825

8E2624DA4D209ABD3364D90F7BC08230F84510DB (UPX packed)

FC7CCABB239AD6FD22472E5B7BB6A5773B7A3DAC

8532E858EB24AE38632091D2D790A1299B7BBC87 (Corrupted)

82F51F098B85995C966135E9E7F63D1D8DC97589 (UPX packed)

### C&C

http://119.29.173[.]65

http://129.211.157[.]244

http://129.226.134[.]180

http://150.109.79[.]136

http://34.94.199[.]142

http://35.236.173[.]187

http://update[.]callercore[.]com

### Exfiltration encryption key (RSA)

—–BEGIN PUBLIC KEY—–
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCQ3k3GgS3FX4pI7s9x0krBYqbMcSaw4BPY91Ln
tt5/X8s9l0BC6PUTbQcUzs6PPXhKKTx8ph5CYQqdWynxOLJah0FMMRYxS8d0HX+Qx9eWUeKRHm2E
AtZQjdHxqTJ9EBpHYWV4RrWmeoOsWAOisvedlb23O0E55e8rrGGrZLhPbwIDAQAB

—–END PUBLIC KEY—–

## MITRE ATT&CK techniques

[Note: This table was built using version 7 of the MITRE ATT&CK framework.](https://attack.mitre.org/versions/)

**Tactic** **ID** **Name** **Description**


Defense
Evasion


T1027 Obfuscated Files or
Information


T1027.002 Obfuscated Files or
Information: Software
Packing


Some Linux/CDRThief
samples are packed
with UPX.


Credential
Access


T1552.001 Unsecured Credentials:
Credentials In Files


Linux/CDRThief contains
obfuscates strings in the payload.

Linux/CDRThief reads credentials
for MySQL database from a
configuration file.

Linux/CDRThief obtains detailed
information about the compromised
computer.


Discovery T1082 System Information
Discovery


-----

**Tactic** **ID** **Name** **Description**


Collection T1560.003 Archive Collected Data:
Archive via Custom
Method


Linux/CDRThief compresses stolen
data with gzip before exfiltration.

Linux/CDRThief uses HTTP for
communication with C&C server.

Linux/CDRThief exfiltrates data to
the C&C server.


Command
and
Control


T1071.001 Application Layer
Protocol: Web
Protocols


Exfiltration T1041 Exfiltration Over C2
Channel

10 Sep 2020 - 11:30AM


### Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center

 Newsletter

 Discussion


-----