The term softswitch (softwitch, software switch) usually denotes the main element of the VoIP network, which allows you to control calls and billing, as well as manage calls. VoIP softswitches are programs that run on servers and are designed to route calls through software rather than special equipment.
The researchers write that they are not yet sure who developed this highly specialized malware and for what purpose. In theory, attackers could have used CDRThief for cyber espionage or telephony fraud under the International Revenue Share Fraud (IRSF) scheme…
How CDRThief is distributed is also unclear. It is assumed that hackers can gain access to devices using brute force or some old vulnerabilities (bugs in VOS2009 and VOS3000 have been reported in the past). After infiltrating a Linux server running Linknat VOS2009 or VOS3000, the malware looks for Linknat configuration files and retrieves credentials for the MySQL database where the soft switch stores call information (VoIP call metadata). After that, the malware connects to the MySQL database and executes SQL queries to collect metadata, which are eventually transmitted to the remote server.
“Interestingly, the password from the configuration file is encrypted. However, CDRThief can still read it and decrypt it. That is, the attackers demonstrate intimate knowledge of the target platform, because, as far as we can tell, the algorithms and encryption keys used are not documented. This means that the attackers had to reverse the platform binaries or obtain information about the AES encryption algorithm and the key used in the Linknat code in some other way, ”said ESET specialist Anton Cherepanov.
Thus, using CDRThief, cybercriminals steal private information, for example, call metadata, including phone numbers and IP addresses of users, call duration, cost, and so on. In fact, CDRThief is a very unusual piece of malware designed solely to steal VoIP call metadata and nothing else. Thus, the malware does not execute shell commands, any search, and does not steal other files, at least in the current version. According to the researchers, this means that the creators behind the attacks know exactly what they want from each of their campaigns.