March 22, 2024
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]
Rewterz Threat Alert – Dridex Activity on the Rise
September 11, 2020
NetWalker Ransomware Hits K-Electric
September 13, 2020
Rewterz Threat Alert – Dridex Activity on the Rise
September 11, 2020
NetWalker Ransomware Hits K-Electric
September 13, 2020
Severity
Medium
Analysis Summary
A new malware CDRThief is found targeting a specific Voice over IP system to steal call data records (CDR) from telephone exchange equipment. Analysis of the malware revealed that it was specifically created for a particular Linux VoIP platform, namely Linknat VOS2009/3000 softswitches. A softswitch is a software solution acting as a VoIP server that manages traffic (audio/video/text) in a telecommunication network. It is a central element that ensures a connection between both internal and external lines.
CDRThief’s purpose is to compromise VOS2009/3000 softswitches and steal call metadata from internal MySQL databases, such as IP addresses of the callers, phone numbers, start time and duration of the call, its route, and type. The malware also attempted to obfuscate malicious functionality using the Corrected Block TEA (XXTEA) cipher and then running Base64 encoding on suspicious-looking links. Although access to the MySQL database is password-protected, the key is encrypted at rest in the configuration file, the CDRThief can read and decrypt it, indicating that whoever developed it knows the attacked platform very well. CDRThief’s interest is in tables containing logs of system events, information about VoIP gateways, and call metadata. The malware delivers the information to a command and control (C2) server using JSON over HTTP after compressing and encrypting it with a hardcoded RSA-1024 public key.
Impact
- Unauthorized Access
- Theft of sensitive information
Indicators of Compromise
MD5
- 3339b8c4a522548b67fca732c54fa232
- 7124c56ab6d8133e2ed2042fb8c2248e
- 926c77d3d9fdad7217a9b49bdf033336
SHA-256
- 6b15cf51e4dff3e25b805173eef88940dbeb52b2662bd265450e6e54d5bb84d6
- 665acb48f9ad6317806231e52e5d3d05e91a93b20f40771a55e634192e8b094b
- ffe88d3012c15a680a506f0382264ea763ff2d426bf4ad3caf03111d47d9a80c
SHA1
- fc7ccabb239ad6fd22472e5b7bb6a5773b7a3dac
- cc373d633a16817f7d21372c56955923c9dda825
- 8e2624da4d209abd3364d90f7bc08230f84510db
URL
- http[:]//129[.]211[.]157[.]244
- http[:]//150[.]109[.]79[.]136
- http[:]//129[.]226[.]134[.]180
- http[:]//35[.]236[.]173[.]187
- http[:]//119[.]29[.]173[.]65
- http[:]//34[.]94[.]199[.]142
Remediation
Block the threat indicators at their respective controls.