Monday, November 4, 2024
HomeComputer SecurityMessagetap - A New Malware Used by APT41 Hacker Group to Spy...

Messagetap – A New Malware Used by APT41 Hacker Group to Spy on SMS Traffic

Published on

Malware protection

A new malware dubbed “Messagetap” designed to monitor and record SMS traffic of certain phone numbers, IMSI numbers, and based on keywords for subsequent theft.

The new malware was developed by the Chinese APT41 hacker group to deploy in the telecommunications network. The malware was discovered by FireEye during an investigation at a telecommunications network provider.

APT41 is the Chinese state-sponsored hacker group, know for conducting financially motivated operations, the group found to be active at least from 2012.

- Advertisement - SIEM as a Service

The Messagetap malware found in a cluster of Linux servers that used for as Short Message Service Center (SMSC) servers. In the telecommunication network, SMSCs operate to store, forward, convert and deliver Short Message Service.

Messagetap Malware

Once this malware get’s installed in a Linux SMSCs, they check for the existence of two files named keyword_parm.txt and parm.txt. These files contain for Messagetap malware.

parm.txt – File contains IMSI numbers and phone numbers to target.

keyword_parm.txt – Contains Keyword list that is read into keywordVec

The configuration files provide the target for malware, keyword_parm.txt contains keywords of geopolitical interest and parm.txt contains two list phoneMap(phone numbers) and imsiMap(IMSI numbers).

Messagetap
Messagetap Flow Diagram Pic: FireEye

The malware installation script tries to read configuration files for every 30 seconds if the configuration files exist they are loaded into memory and files will get deleted.

“Messagetap begins monitoring all network connections to and from the server. It uses the libpcap library to listen to all traffic and parses network protocols starting with Ethernet and IP layers. It continues parsing protocol layers including SCTP, SCCP, and TCAP,” reads FireEye report.

The malware extracts the following data from the network

  • SMS message contents
  • The IMSI number
  • The source and destination phone numbers

“The malware searches the SMS message contents for keywords from the keywordVec list, compares the IMSI number with numbers from the imsiMap list, and checks the extracted phone numbers with the numbers in the phoneMap list.”

If the SMS message matches the phone number, IMSI number or keywords they are saved to CSV file by the threat actor.

In addition to Messagetap SMS theft, FireEye also identified the threat actor interacting with call detail record (CDR) databases to query, save and steal records during this same intrusion.

The threat actor group continues to target other organizations such as travel services and healthcare providers beyond telecommunication to steal sensitive details of specific individuals.

Recently researchers discovered a new attack dubbed Simjacker, that can be exploited by sending an SMS containing a specific type of spyware code.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a...

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals...

Sophisticated Phishing Attack Targeting Ukraine Military Sectors

The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215...

Chinese Hackers Attacking Microsoft Customers With Sophisticated Password Spray Attacks

Researchers have identified a network of compromised devices, CovertNetwork-1658, used by Chinese threat actors...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

SYS01 InfoStealer Malware Attacking Meta Business Page To Steal Logins

The ongoing Meta malvertising campaign, active for over a month, employs an evolving strategy...

Russian Hackers Attacking Ukraine Military With Malware Via Telegram

Researchers discovered a Russian-linked threat actor, UNC5812, utilizing a Telegram persona named "Civil Defense....

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...