<— Back

CDRThief: Malware that targets Linux VoIP softswitches

14:05 – 14:35(SGT) Thursday 3 December, 2020

We recently discovered an interesting piece of malware that targets Voice over IP (VoIP) softswitches. At the time of discovery, we coined the name CDRThief for the malware. CDRThief targets specific Linux-based software switches produced in China and used mostly in the APAC region.

CDRThief is particularly interesting because the main purpose of the malware is to exfiltrate call detail records (CDR) from compromised VoIP softswitches. These records contain VoIP metadata of performed calls, such as time, duration, calling fee, etc. Further, it is rare to find an entirely new Linux malware family in the wild.

How attackers use stolen information is an as yet unsolved mystery. The call data records could be used for cyberespionage or for VoIP fraud.

During this talk we will provide a detailed technical description of the CDRThief malware and discuss possible goals of the malware operators.

Anton Cherepanov


Anton Cherepanov is a Senior Malware Researcher for ESET; his responsibilities include the analysis and hunting for the most complex threats. He has done extensive research on cyberattacks in Ukraine and uncovered the origins of NotPetya attack. He has presented his research at numerous conferences, including Black Hat USA, Virus Bulletin and CARO Workshop. His interests focus on reverse engineering and malware analysis automation. 

Sponsors and Supporting Organizations

Diamond Sponsors

Platinum Sponsor

Networking Lounge Sponsor

Supporting Organization

Associate Sponsors