{
	"id": "b61075f3-62c2-45d3-8ad5-418548ca60b3",
	"created_at": "2026-04-06T00:15:29.345071Z",
	"updated_at": "2026-04-10T03:20:38.939002Z",
	"deleted_at": null,
	"sha1_hash": "b84ab91b01d035e837693d29df795030e377c2cc",
	"title": "Who is calling? CDRThief targets Linux VoIP softswitches",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 635989,
	"plain_text": "Who is calling? CDRThief targets Linux VoIP softswitches\r\nBy Anton Cherepanov\r\nArchived: 2026-04-05 17:01:18 UTC\r\nESET Research\r\nESET researchers have discovered and analyzed malware that targets Voice over IP (VoIP) softswitches\r\n10 Sep 2020  •  , 6 min. read\r\nThis new malware that we have discovered and named CDRThief is designed to target a very specific VoIP\r\nplatform, used by two China-produced softswitches (software switches): Linknat VOS2009 and VOS3000. A\r\nsoftswitch is a core element of a VoIP network that provides call control, billing, and management. These\r\nsoftswitches are software-based solutions that run on standard Linux servers.\r\nThe primary goal of the malware is to exfiltrate various private data from a compromised softswitch, including\r\ncall detail records (CDR). CDRs contain metadata about VoIP calls such as caller and callee IP addresses, starting\r\ntime of the call, call duration, calling fee, etc.\r\nTo steal this metadata, the malware queries internal MySQL databases used by the softswitch. Thus, attackers\r\ndemonstrate a good understanding of the internal architecture of the targeted platform.\r\nhttps://www.welivesecurity.com/2020/09/10/who-callin-cdrthief-linux-voip-softswitches/\r\nPage 1 of 10\n\nLinux/CDRThief analysis\r\nWe noticed this malware in one of our sample sharing feeds, and as entirely new Linux malware is a rarity, it\r\ncaught our attention. What was even more interesting was that it quickly became apparent that this malware\r\ntargeted a specific Linux VoIP platform. Its ELF binary was produced by the Go compiler with the debug symbols\r\nleft unmodified, which is always helpful for the analysis.\r\nTo hide malicious functionality from basic static analysis, the authors encrypted all suspicious-looking strings\r\nwith XXTEA and the key fhu84ygf8643, and then base64 encoded them. Figure 1 shows some of the code the\r\nmalware uses to decrypt these strings at runtime.\r\nFigure 1. The routine used to decrypt the binary's strings\r\nhttps://www.welivesecurity.com/2020/09/10/who-callin-cdrthief-linux-voip-softswitches/\r\nPage 2 of 10\n\nTo access internal data stored in the MySQL database, the malware reads credentials from Linknat VOS2009 and\r\nVOS3000 configuration files that it attempts to locate in the following paths:\r\n/usr/kunshi/vos2009/server/etc/server_db_config.xml\r\n/usr/kunshi/vos3000/server/etc/server_db_config.xml\r\n/home/kunshi/vos2009/server/etc/server_db_config.xml\r\n/home/kunshi/vos3000/server/etc/server_db_config.xml\r\n/home/kunshi/vos2009/etc/server_db_config.xml\r\n/home/kunshi/vos3000/etc/server_db_config.xml\r\n/usr/kunshi/vos2009/server/etc/serverdbconfig.xml\r\n/usr/kunshi/vos3000/server/etc/serverdbconfig.xml\r\nInterestingly, the password from the configuration file is stored encrypted. However, Linux/CDRThief malware is\r\nstill able to read and decrypt it. Thus, the attackers demonstrate deep knowledge of the targeted platform, since the\r\nalgorithm and encryption keys used are not documented as far as we can tell. It means that the attackers had to\r\nreverse engineer platform binaries or otherwise obtain information about the AES encryption algorithm and key\r\nused in the Linknat code.\r\nAs seen in Figure 2, CDRThief communicates with C\u0026C servers using JSON over HTTP.\r\nhttps://www.welivesecurity.com/2020/09/10/who-callin-cdrthief-linux-voip-softswitches/\r\nPage 3 of 10\n\nFigure 2. Captured network communication of the Linux/CDRThief malware\r\nThere are multiple functions in Linux/CDRThief’s code used for communication with C\u0026C servers. Table 1\r\ncontains the original names of these functions used by the malware authors.\r\nTable 1. Functions used for communication with C\u0026C\r\nFunction name C\u0026C path Purpose\r\nmain.pingNet /dataswop/a Checks if C\u0026C is alive\r\nhttps://www.welivesecurity.com/2020/09/10/who-callin-cdrthief-linux-voip-softswitches/\r\nPage 4 of 10\n\nFunction name C\u0026C path Purpose\r\nmain.getToken /dataswop/API/b Obtains token\r\nmain.heartbeat /dataswop/API/gojvxs\r\nMain C\u0026C loop, called every three\r\nminutes\r\nmain.baseInfo\r\n/dataswop/API/gojvxs\r\nExfiltrates basic information about\r\ncompromised Linknat system:\r\n#rowspan#        MAC address\r\n#rowspan#        cat /proc/version\r\n#rowspan#        whoami\r\n#rowspan#        cat /etc/redhat-release\r\n#rowspan#\r\n       UUID from\r\n/bin/ibus_10.mo (or /\r\nhome/kunshi/base/ibus_10.mo\r\n)\r\nmain.upVersion /dataswop/Download/updateGoGoGoGoGo Updates itself to the latest version\r\nmain.pushLog /dataswop/API/gojvxs Uploads malware error log\r\nmain.load\r\n/dataswop/API/gojvxs\r\nExfiltrates various information about\r\nthe platform:\r\n#rowspan#\r\n       SELECT\r\nSUM(TABLE_ROWS)\r\nFROM\r\ninformation_schema.TABLES\r\nWHERE table_name LIKE\r\n'e_cdr_%'\r\n#rowspan#        cat /etc/motd\r\nhttps://www.welivesecurity.com/2020/09/10/who-callin-cdrthief-linux-voip-softswitches/\r\nPage 5 of 10\n\nFunction name C\u0026C path Purpose\r\n#rowspan#\r\n       username, encrypted\r\npassword, IP address of the\r\ndatabase\r\n#rowspan#\r\n       ACCESS_UUID from\r\nserver.conf\r\n#rowspan#        VOS software version\r\nmain.syslogCall /dataswop/API/gojvxs Exfiltrates data from e_syslog tables\r\nmain.gatewaymapping /dataswop/API/gojvxs\r\nExfiltrates data from\r\ne_gatewaymapping tables\r\nmain.cdr /dataswop/API/gojvxs Exfiltrates data from e_cdr tables\r\nIn order to exfiltrate data from the platform, Linux/CDRThief executes SQL queries directly to the MySQL\r\ndatabase. Mainly, the malware is interested in three tables:\r\ne_syslog – contains log of system events\r\ne_gatewaymapping – contains information about VoIP gateways (see Figure 3)\r\ne_cdr – contains call data records (metadata of calls)\r\nhttps://www.welivesecurity.com/2020/09/10/who-callin-cdrthief-linux-voip-softswitches/\r\nPage 6 of 10\n\nFigure 3. Disassembled code of the function that initializes an SQL query\r\nData to be exfiltrated from the e_syslog, e_gatewaymapping, and e_cdr tables is compressed and then encrypted\r\nwith a hardcoded RSA-1024 public key before exfiltration. Thus, only the malware authors or operators can\r\ndecrypt the exfiltrated data.\r\nBased on the described functionality, we can say that the malware’s primary focus is on collecting data from the\r\ndatabase. Unlike other backdoors, Linux/CDRThief does not have support for shell command execution or\r\nexfiltrating specific files from the compromised softswitch’s disk. However, these functions could be introduced\r\nin an updated version.\r\nThe malware can be deployed to any location on the disk under any file name. It’s unknown what type of\r\npersistence is used for starting the malicious binary at each boot. However, it should be noted that once the\r\nhttps://www.welivesecurity.com/2020/09/10/who-callin-cdrthief-linux-voip-softswitches/\r\nPage 7 of 10\n\nmalware is started, it attempts to launch a legitimate binary present on the Linknat VOS2009/VOS3000 platform\r\nusing the following command:\r\nexec -a '/home/kunshi/callservice/bin/callservice -r /home/kunshi/.run/callservice.pid'\r\nThis suggests that the malicious binary might somehow be inserted into a regular boot chain of the platform in\r\norder to achieve persistence and possibly masquerading as a component of the Linknat softswitch software.\r\nAt the time of writing we do not know how the malware is deployed onto compromised devices. We speculate that\r\nattackers might obtain access to the device using a brute-force attack or by exploiting a vulnerability. Such\r\nvulnerabilities in VOS2009/VOS3000 have been reported publicly in the past.\r\nConclusion\r\nWe analyzed Linux/CDRThief malware, which has a unique purpose to target specific VoIP softswitches. We\r\nrarely see VoIP softswitches targeted by threat actors; this makes the Linux/CDRThief malware interesting.\r\nIt’s hard to know the ultimate goal of attackers who use this malware. However, since this malware exfiltrates\r\nsensitive information, including call metadata, it seems reasonable to assume that the malware is used for\r\ncyberespionage. Another possible goal for attackers using this malware is VoIP fraud. Since the attackers obtain\r\ninformation about activity of VoIP softswitches and their gateways, this information could be used to perform\r\nInternational Revenue Share Fraud (IRSF).\r\nFor any inquiries, or to make sample submissions related to the subject, contact us at threatintel@eset.com.\r\nIndicators of Compromise\r\nESET detection name\r\nLinux/CDRThief.A\r\nFile based mutexes\r\n/dev/shm/.bin\r\n/dev/shm/.linux\r\nFiles created during malware update\r\n/dev/shm/callservice\r\n/dev/shm/sys.png\r\nHashes\r\nCC373D633A16817F7D21372C56955923C9DDA825\r\n8E2624DA4D209ABD3364D90F7BC08230F84510DB (UPX packed)\r\nFC7CCABB239AD6FD22472E5B7BB6A5773B7A3DAC\r\nhttps://www.welivesecurity.com/2020/09/10/who-callin-cdrthief-linux-voip-softswitches/\r\nPage 8 of 10\n\n8532E858EB24AE38632091D2D790A1299B7BBC87 (Corrupted)\r\n82F51F098B85995C966135E9E7F63D1D8DC97589 (UPX packed)\r\nC\u0026C\r\nhttp://119.29.173[.]65\r\nhttp://129.211.157[.]244\r\nhttp://129.226.134[.]180\r\nhttp://150.109.79[.]136\r\nhttp://34.94.199[.]142\r\nhttp://35.236.173[.]187\r\nhttp://update[.]callercore[.]com\r\nExfiltration encryption key (RSA)\r\n-----BEGIN PUBLIC KEY-----\r\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCQ3k3GgS3FX4pI7s9x0krBYqbMcSaw4BPY91Ln\r\ntt5/X8s9l0BC6PUTbQcUzs6PPXhKKTx8ph5CYQqdWynxOLJah0FMMRYxS8d0HX+Qx9eWUeKRHm2E\r\nAtZQjdHxqTJ9EBpHYWV4RrWmeoOsWAOisvedlb23O0E55e8rrGGrZLhPbwIDAQAB\r\n-----END PUBLIC KEY-----\r\nMITRE ATT\u0026CK techniques\r\nNote: This table was built using version 7 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nDefense\r\nEvasion\r\nT1027\r\nObfuscated Files or\r\nInformation\r\nLinux/CDRThief contains obfuscates\r\nstrings in the payload.\r\nT1027.002\r\nObfuscated Files or\r\nInformation: Software\r\nPacking\r\nSome Linux/CDRThief samples are\r\npacked with UPX.\r\nCredential\r\nAccess\r\nT1552.001\r\nUnsecured Credentials:\r\nCredentials In Files\r\nLinux/CDRThief reads credentials for\r\nMySQL database from a configuration file.\r\nDiscovery T1082\r\nSystem Information\r\nDiscovery\r\nLinux/CDRThief obtains detailed\r\ninformation about the compromised\r\ncomputer.\r\nCollection T1560.003\r\nArchive Collected Data:\r\nArchive via Custom Method\r\nLinux/CDRThief compresses stolen data\r\nwith gzip before exfiltration.\r\nCommand and\r\nControl\r\nT1071.001\r\nApplication Layer Protocol:\r\nWeb Protocols\r\nLinux/CDRThief uses HTTP for\r\ncommunication with C\u0026C server.\r\nhttps://www.welivesecurity.com/2020/09/10/who-callin-cdrthief-linux-voip-softswitches/\r\nPage 9 of 10\n\nTactic ID Name Description\r\nExfiltration T1041\r\nExfiltration Over C2\r\nChannel\r\nLinux/CDRThief exfiltrates data to the\r\nC\u0026C server.\r\nSource: https://www.welivesecurity.com/2020/09/10/who-callin-cdrthief-linux-voip-softswitches/\r\nhttps://www.welivesecurity.com/2020/09/10/who-callin-cdrthief-linux-voip-softswitches/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.welivesecurity.com/2020/09/10/who-callin-cdrthief-linux-voip-softswitches/"
	],
	"report_names": [
		"who-callin-cdrthief-linux-voip-softswitches"
	],
	"threat_actors": [],
	"ts_created_at": 1775434529,
	"ts_updated_at": 1775791238,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b84ab91b01d035e837693d29df795030e377c2cc.pdf",
		"text": "https://archive.orkl.eu/b84ab91b01d035e837693d29df795030e377c2cc.txt",
		"img": "https://archive.orkl.eu/b84ab91b01d035e837693d29df795030e377c2cc.jpg"
	}
}