Data Security

CDRThief malware targets Linux VoIP softwitches to steal call records

ESET researchers have identified a new malware called CDRThief strain targeting a specific VoIP platform that two Chinese softswitches use.

Security researchers at ESET discovered a new malware strain that targets the Voice over Internet Protocol (VoIP) software switches (softswitches).

Dubbed CDRThief; the malware can steal sensitive private data, including call detail records (CDRs). The malware was discovered by ESET researcher Anton Cherepanov. 

According to Cherepanov, compromised softswitches can help attackers perform several malicious deeds apart from stealing call metadata. For instance, they can carry out VoIP fraud after obtaining information about the activities of the VoIP softswitches and their gateways.

The attackers can also use the information to perform International Revenue Share Fraud. Cherepanov stated that the ultimate objective of CDRThief operators is hard to identify. Considering that it exfiltrates call metadata, it is safe to assume that the malware is used for cyberespionage.

“CDRs contain metadata about VoIP calls such as caller and IP addresses of call recipients, starting time of the call, call duration, call fees, and other information,” Cherepanov explained in a blog post.

The researchers further analyzed that CDRThief malware is designed for specifically targeting two China-made VoIP softswitches, namely Linknat VOS2009 and VOS3000. However, it’s about time the malware starts targeting softswitches around the world.

According to researchers, to steal the metadata, CDRThief queries internal MySQL databases that the Softswitch uses, which indicates attackers have an extensive understanding of their targeted platform’s internal architecture.

The malware authors have encrypted all the suspicious-looking strings to hide its malicious functions from getting detected. Despite that the configuration file password is encrypted, the malware can read and decrypt it since the encryption keys, and the algorithm isn’t documented. Only the malware operators can decrypt the exfiltrated data. They can deploy it at any location on the disk with any file name.


Currently, it is unclear what kind of persistence is required for the malware to start functioning. However, once it starts, it launches a legit file stored on the Linknat platform. This means the malicious binary is inserted into the platform’s regular boot chain to ensure persistence and possibly disguise the malware as a Linknat Softswitch software component.

Software switch is an integral element of a VoIP network, which enables call control, management, and billing. Softswitches are generally run on Linux servers, and newly designed Linux malware is quite rare. This is why CDRThief caught the attention of Cherepanov.

Network communication of the Linux/CDRThief malware

“We noticed this malware in one of our sample sharing feeds, and as an entirely new Linux malware, it’s a rarity and caught our attention. What was even more interesting was that it quickly became apparent that this malware targeted a specific Linux VoIP platform,” added Cherepanov.

To Top

Pin It on Pinterest

Share This