Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile Security

10/31/2019
04:00 PM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Chinese-Linked APT41 Can Read Your Texts

New malware family is designed to have the ability to monitor as well as save SMS traffic from specific phone numbers, IMSI numbers and keywords for subsequent theft.

FireEye Mandiant says that it has recently discovereda new malware family being used by APT41 (a Chinese APT group) that is designed to have the ability to monitor as well as save SMS traffic from specific phone numbers, IMSI numbers and keywords for subsequent theft. They say the malware, MESSAGETAP, was deployed as part of Chinese espionage efforts.

APT41 has previously been described by FireEye in a report as a dual cybercrime (finanacially motivated) and espionage operation.

The current operation was found during an August 2019 FireEye investigation at a telecommunications network provider within a cluster of Linux servers. This is an efficient location to place a data stealer because of the high amount of SMS traffic that goes through this part of the system.

Initially loaded by an installation script, MESSAGETAP is a 64-bit ELF data miner. Once installed, the malware checks for the existence of two files: keyword_parm.txt and parm.txt. It attempts to read the configuration files every 30 seconds. If either exist, the contents are read and XOR decoded.

The researchers say that, "The first file (parm.txt) is a file containing two lists:

      1) imsiMap: This list contains International Mobile Subscriber Identity (IMSI) numbers. IMSI numbers identify subscribers on a cellular network.

 

               2) phoneMap: The phoneMap list contains phone numbers.

The second file (keyword_parm.txt) is a list of keywords that is read into keywordVec."

Once loaded into memory, both files are deleted. Then, the serious eavesdropping begins.

It uses the libpcap library to listen to all traffic and parses network protocols, starting with Ethernet and IP layers. It continues parsing protocol layers including SCTP, SCCP and TCAP. Finally, the malware parses and extracts SMS message data from the network traffic.

FireEye says that the malware will search the SMS message contents for keywords found in the keywordVec list, compares the IMSI number with numbers from the imsiMap list, and checks the extracted phone numbers with the numbers in the phoneMap list. The presence of both the phone number and the IMSI number used together signifies a highly targeted attack. The keyword list was composed of terms that the Chinese would find interesting, such as the names of political \r\nleaders, military and intelligence organizations as well as political movements at odds with the Chinese government.

But more is going on here. FireEye found that the threat actor was interacting with call detail record (CDR) databases to query, save and steal records during this same intrusion. The CDR records corresponded to foreign high-ranking individuals of interest to the Chinese intelligence services.

It doesn't seem surprising that a nation-state threat actor would have this sort of interception capability. It is unusual to find such a detailed look at an operational tool as FireEye has provided. They see an evolving Chinese targeting trend focused on both upstream data and targeted surveillance. It is only prudent that due to tools like MESSAGETAP both users and organizations consider the risk of unencrypted data being intercepted several layers upstream in their cellular communication chain.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cloud Security Threats for 2021
Or Azarzar, CTO & Co-Founder of Lightspin,  12/3/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Assessing Cybersecurity Risk in Todays Enterprises
Assessing Cybersecurity Risk in Todays Enterprises
COVID-19 has created a new IT paradigm in the enterprise and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27772
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in coders/bmp.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned int`. This would most likely lead to an impact to application availability, but could po...
CVE-2020-27773
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/gem-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned char` or division by zero. This would most likely lead to an impact to appli...
CVE-2020-28950
PUBLISHED: 2020-12-04
The installer of Kaspersky Anti-Ransomware Tool (KART) prior to KART 4.0 Patch C was vulnerable to a DLL hijacking attack that allowed an attacker to elevate privileges during installation process.
CVE-2020-27774
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/statistic.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of a too large shift for 64-bit type `ssize_t`. This would most likely lead to an impact to application availability, but co...
CVE-2020-27775
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/quantum.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned char. This would most likely lead to an impact to application availability, but c...