A new malware that is being deployed by the Chinese hacking group APT 41 monitors SMS traffic and other mobile information en masse and is being used against telecommunications firms to target specific customer phone numbers.
The malware, called MessageTap, has been used in cyberespionage and financially motivated attacks, reported FireEye. MessageTap was first revealed earlier this year during an investigation of a telecommunication’s network provider working from a cluster of Linux Short Message Service Center (SMSC) servers. These are responsible for routing and storing SMS messages, which makes them a perfect target from which to cull sensitive data, said FireEye researchers Raymond Leong, Dan Perez and Tyler Dean said in a recent report.
FireEye said four unnamed telecoms were targeted by APT 41 with MessageTap and another four were hit by a separate threat group with suspected ties to Chinese state-sponsored associations.
“Beyond telecommunication organizations, other client verticals that possess sensitive records related to specific individuals of interest, such as major travel services and healthcare providers, were also targeted by APT 41. “This is reflective of an evolving Chinese targeting trend focused on both upstream data and targeted surveillance,” FireEye said.
itself operates in a straight-forward manner.
is a 64-bit ELF data miner initially loaded by an installation script. Once
installed, the malware checks for the existence of two files: keyword_parm.txt
and parm.txt and attempts to read the configuration files every 30 seconds. If
either exist, the contents are read and XOR decoded,” the research team said.
file contains a list of keywords, while parm.txt contains International Mobile
Subscriber Identity (IMSI) numbers and phoneMap, which contains phone numbers.
point MessageTap is prepared to monitor all network connections to and from the
server and extract SMS message data including message content, IMSI number and
the messages source and destination.
FireEye’s researchers believe this type of attack will continue going forward, forcing organizations and governments to realize the risk of sending unencrypted information into local communications networks that can be intercepted and gathered at a point far removed from the mobile device.
especially critical for highly targeted individuals such as dissidents,
journalists and officials that handle highly sensitive information. Appropriate
safeguards such as utilizing a communication program that enforces end-to-end
encryption can mitigate a degree of this risk,” FireEye concluded.