• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Dridex Activity on the Rise
September 11, 2020
NetWalker Ransomware Hits K-Electric
September 13, 2020

Rewterz Threat Alert – New CDRThief Malware Steals VoIP Metadata from Linux Softswitches

September 11, 2020

Severity

Medium

Analysis Summary

A new malware CDRThief is found targeting a specific Voice over IP system to steal call data records (CDR) from telephone exchange equipment. Analysis of the malware revealed that it was specifically created for a particular Linux VoIP platform, namely Linknat VOS2009/3000 softswitches. A softswitch is a software solution acting as a VoIP server that manages traffic (audio/video/text) in a telecommunication network. It is a central element that ensures a connection between both internal and external lines.

en_vos3000_3.jpg

CDRThief’s purpose is to compromise VOS2009/3000 softswitches and steal call metadata from internal MySQL databases, such as IP addresses of the callers, phone numbers, start time and duration of the call, its route, and type. The malware also attempted to obfuscate malicious functionality using the Corrected Block TEA (XXTEA) cipher and then running Base64 encoding on suspicious-looking links. Although access to the MySQL database is password-protected, the key is encrypted at rest in the configuration file, the CDRThief can read and decrypt it, indicating that whoever developed it knows the attacked platform very well. CDRThief’s interest is in tables containing logs of system events, information about VoIP gateways, and call metadata. The malware delivers the information to a command and control (C2) server using JSON over HTTP after compressing and encrypting it with a hardcoded RSA-1024 public key.

Impact

  • Unauthorized Access
  • Theft of sensitive information

Indicators of Compromise

MD5

  • 3339b8c4a522548b67fca732c54fa232
  • 7124c56ab6d8133e2ed2042fb8c2248e
  • 926c77d3d9fdad7217a9b49bdf033336

SHA-256

  • 6b15cf51e4dff3e25b805173eef88940dbeb52b2662bd265450e6e54d5bb84d6
  • 665acb48f9ad6317806231e52e5d3d05e91a93b20f40771a55e634192e8b094b
  • ffe88d3012c15a680a506f0382264ea763ff2d426bf4ad3caf03111d47d9a80c

SHA1

  • fc7ccabb239ad6fd22472e5b7bb6a5773b7a3dac
  • cc373d633a16817f7d21372c56955923c9dda825
  • 8e2624da4d209abd3364d90f7bc08230f84510db

URL

  • http[:]//129[.]211[.]157[.]244
  • http[:]//150[.]109[.]79[.]136
  • http[:]//129[.]226[.]134[.]180
  • http[:]//35[.]236[.]173[.]187
  • http[:]//119[.]29[.]173[.]65
  • http[:]//34[.]94[.]199[.]142

Remediation

Block the threat indicators at their respective controls.

  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.