China-linked APT41 group targets telecommunications companies with new backdoor

China-linked APT41 group is targeting telecommunications companies with a new piece of malware used to spy on text messages of highly targeted individuals.

Researchers at FireEye discovered a new backdoor tracked as MessageTap that China-linked APT41 group are using to spy on text messages sent or received by highly targeted individuals

The experts found the MessageTap backdoor installed on a Linux-based Short Message Service Center (SMSC) server belonging to an unnamed telecommunications company. A Short Message Service Center (SMSC) is a network element in the mobile telephone network.

“FireEye Mandiant recently discovered a new malware family used by APT41 (a Chinese APT group) that is designed to monitor and save SMS traffic from specific phone numbers, IMSI numbers and keywords for subsequent theft.” reads the analysis published by FireEye. “Named MESSAGETAP, the tool was deployed by APT41 in a telecommunications network provider in support of Chinese espionage efforts.”

The APT41 has been active since at least 2012, it was involved in both state-sponsored espionage campaigns and financially-motivated attacks since 2014. The group hit entities in several industries, including the gaming, healthcare, high-tech, higher education, telecommunications, and travel services industries.

Unlike other China-based actors, the group used custom malware in cyber espionage operations, experts observed 46 different malware families and tools in APT41 campaigns.

“MessageTap” is a 64-bit ELF data miner that upon execution checks for the existence of two files, keyword_parm.txt and parm.txt, that contain instructions for MESSAGETAP to target and save contents of SMS messages.

The first file (parm.txt) contains a list of International Mobile Subscriber Identity (IMSI) numbers and a list of phone numbers, the second file (keyword_parm.txt) includes a list of keywords that are read into keywordVec.

If the two files are present on the target machine, their contents are read and XOR decoded with a string containing a URL owned by the European Telecommunications Standards Institute (ETSI) pointing to a document that explains the Short Message Service (SMS) for GSM and UMTS Networks

Once the malware is executed, the configuration files are deleted from the disk, then MESSAGETAP begins monitoring all network connections to and from the server. The spyware uses the “libpcap library to listen to all traffic and parses network protocols starting with Ethernet and IP layers. It continues parsing protocol layers including SCTP, SCCP, and TCAP. Finally, the malware parses and extracts SMS message data from the network traffic:”

SMS message contents
The IMSI number
The source and destination phone numbers”

MessageTap is able to filter messages sent or received by specific phone numbers, containing certain keywords, or with specific IMSI numbers.

SMS messages of interest are saved to CSV files for later theft by the threat actor.

Experts pointed out that the use of unencrypted data expose users to the risk of being intercepted by threat actors. Highly targeted individuals such as dissidents, journalists, and officials that handle highly sensitive information are particularly exposed to cyber espionage campaigns carried out by nation-state hachers.

Experts at FireEye Mandiant also found APT41 hackers stealing call detail records (CDR) corresponded to high-ranking foreign individuals.

“In addition to MESSAGETAP SMS theft, FireEye Mandiant also identified the threat actor interacting with call detail record (CDR) databases to query, save and steal records during this same intrusion. The CDR records corresponded to foreign high-ranking individuals of interest to the Chinese intelligence services.” concludes the analysis. “Targeting CDR information provides a high-level overview of phone calls between individuals, including time, duration, and phone numbers. In contrast, MESSAGETAP captures the contents of specific text messages.

Experts have no doubts, hackers will continue to target telecommunications companies for cyber espionage campaigns.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – APT41, China)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.