Home Malware Programs Malware MESSAGETAP

MESSAGETAP

Posted: November 6, 2019

MESSAGETAP is a hacking tool used by the Chinese espionage group APT41 – a team of hackers who often participate in financially-motivated attacks, or campaigns against high-profile targets that the Chinese government is interested in. The purpose of the MESSAGETAP malware is to infect the systems of telecommunication service providers and then data-mine for SMS messages that contain specific strings, or the recipient/sender is a target of the APT41 hackers.

APT41 Targets the Telecommunication Sector

The first traces of MESSAGETAP's activities were discovered at the beginning of 2019, and now there is a lot of information available for MESSAGETAP thanks to the efforts of malware researchers. This data-mining piece of malware is deployed on Linux servers meant to serve as Short Message Service Centers (SMSC) – the systems responsible for routing SMS messages. Once the MESSAGETAP malware is initialized, it checks for the presence of the files 'parm.txt' and 'keyword_parm.txt' – the latter contains keywords to sniff for, while the former contains International Mobile Subscriber Identity (IMSI) numbers to look for. IMSI numbers are like unique identifiers for SIM cards.

APT41's MESSAGETAP Specializes in the Theft of SMS Messages

Once the two configuration files have been loaded into the memory alongside MESSAGETAP's code, the malware will wipe out its files to reduce the fingerprint it leaves behind. Finally, the MESSAGETAP will begin to check all network connections for the data is programmed to search for – all messages that include a targeted keyword, phone number, or IMSI number will be stored in a separate list that the attackers retrieve periodically. A closer look at the two configuration files revealed that the MESSAGETAP malware might be used against high-level military and political organizations, high-profile politicians, and other targets that the Chinese government may express interest in.

It is not clear how the hackers are able to penetrate the SMSC servers of telecommunications service providers and deploy the MESSAGETAP malware there.

Loading...