APT 41 using MessageTap malware to gather SMS traffic

News by Doug Olenick

Malware deployed by the Chinese hacking group APT 41 monitors SMS traffic and other mobile information en masse to target specific customer phone numbers

A new malware that is being deployed by the Chinese hacking group APT 41 monitors SMS traffic and other mobile information en masse and is being used against telecommunications firms to target specific customer phone numbers.

The malware, called MessageTap, has been used in cyberespionage and financially motivated attacks, reported FireEye. MessageTap was first revealed earlier this year during an investigation of a telecommunication’s network provider working from a cluster of Linux Short Message Service Center (SMSC) servers. These are responsible for routing and storing SMS messages, which makes them a perfect target from which to cull sensitive data, said FireEye researchers Raymond Leong, Dan Perez and Tyler Dean said in a recent report.

FireEye said four unnamed telecoms were targeted by APT 41 with MessageTap and another four were hit by a separate threat group with suspected ties to Chinese state-sponsored associations.

"Beyond telecommunication organisations, other client verticals that possess sensitive records related to specific individuals of interest, such as major travel services and healthcare providers, were also targeted by APT 41. "This is reflective of an evolving Chinese targeting trend focused on both upstream data and targeted surveillance," FireEye said.

The malware itself operates in a straight-forward manner.

"MESSAGETAP is a 64-bit ELF data miner initially loaded by an installation script. Once installed, the malware checks for the existence of two files: keyword_parm.txt and parm.txt and attempts to read the configuration files every 30 seconds. If either exist, the contents are read and XOR decoded," the research team said.

The Keyword_parm.txt file contains a list of keywords, while parm.txt contains International Mobile Subscriber Identity (IMSI) numbers and phoneMap, which contains phone numbers.

At this point MessageTap is prepared to monitor all network connections to and from the server and extract SMS message data including message content, IMSI number and the messages source and destination.

FireEye’s researchers believe this type of attack will continue going forward, forcing organisations and governments to realise the risk of sending unencrypted information into local communications networks that can be intercepted and gathered at a point far removed from the mobile device.

"This is especially critical for highly targeted individuals such as dissidents, journalists and officials that handle highly sensitive information. Appropriate safeguards such as utilising a communication program that enforces end-to-end encryption can mitigate a degree of this risk," FireEye concluded.

The original version of this article was published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews