Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

New CDRThief Malware Steals VoIP Metadata From Linux Softswitches

New CDRThief Malware Steals VoIP Metadata From Linux Softswitches

Malware researchers discovered a new threat that they named CDRThief targeting a specific Voice over IP system to steal call data records (CDR) from telephone exchange equipment.

Analysis of the malware revealed that it was specifically created for a particular Linux VoIP platform, namely Linknat VOS2009/3000 softswitches.

Clear purpose

A softswitch is a software solution acting as a VoIP server that manages traffic (audio/video/text) in a telecommunication network. It is a central element that ensures a connection between both internal and external lines.

source: Linknat

CDRThief’s purpose is to compromise VOS2009/3000 softswitches and steal call metadata from internal MySQL databases, such as IP addresses of the callers, phone numbers, start time and duration of the call, its route, and type.

Also read: How To Anonymised The Data: What Are The Importance Of This?

Dev knows its target

Analyzing the malware, researchers at ESET found it attempted to obfuscate malicious functionality using the Corrected Block TEA (XXTEA) cipher and then running Base64 encoding on suspicious-looking links.

Although access to the MySQL database is password-protected, the key is encrypted at rest in the configuration file, the CDRThief can read and decrypt it, indicating that whoever developed it knows the attacked platform very well.

ESET believes that the author had to reverse engineer platform binaries to get the details in the Linknat code about the encryption algorithm (AES) and the key that decrypts the database access password.

From the functions of the malware, the researchers determined that CDRThief’s interest is in tables containing logs of system events, information about VoIP gateways, and call metadata.

The malware delivers the information to a command and control (C2) server using JSON over HTTP after compressing and encrypting it with a hardcoded RSA-1024 public key.

“Based on the described functionality, we can say that the malware’s primary focus is on collecting data from the database. Unlike other backdoors, Linux/CDRThief does not have support for shell command execution or exfiltrating specific files from the compromised softswitch’s disk. However, these functions could be introduced in an updated version” – ESET

The analysis revealed that CDRThief can start from any location on the disk, using any file name. Once deployed, it tries to start a legitimate binary from the Linknat VOS2009/3000 platform:

exec -a '/home/kunshi/callservice/bin/callservice -r


It is unclear how persistence is achieved, but researchers say that the command above suggests that the malware might be inserted into the boot chain of the platform, possibly masquerading as a Linknat softswitch component.

Based on current observations from the analysis, CDRThief may be used for cyber espionage operations or VoIP fraud.

Also read: 10 Government Data Leaks In Singapore: Prevent Cybersecurity



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us