MESSAGETAP: Who's Reading Your Text Messages? (Oct 31, 2019)
The Chinese Advanced Persistent Threat (APT) group, “APT 41” have recently started using a new malware variant named “MESSAGETAP” as discovered by FireEye Mandiant. MESSAGETAP is an espionage tool utilized by APT41 to observe and save Short Message Service (SMS) traffic from specific phone numbers. MESSAGETAP was discovered on a series of Linux servers that were operating as SMSC servers. Once installed on servers, MESSAGETAP will search for two files, “keyword_parm.txt” and “parm.txt”. These files are being used as commands for MESSAGETAP to focus on SMS messages and save their contents. These files are then deleted from the disk once the configuration files are loaded into memory. MESSAGETAP will now monitor all network communications coming in and out of the server collecting SMS message data which are then stored in a CSV file. The keyword list contains items of interest to Chinese intelligence. This includes political leaders, military and intelligence organizations and political movements that are against the Chinese Government.
Recommendation: Users and organizations must consider the risk of unencrypted data being intercepted in their cellular communication chain. This is especially critical for highly targeted individuals such as dissidents, journalists and officials that handle highly sensitive information. Appropriate safeguards such as utilizing a communication program that enforces end-to-end encryption can mitigate a degree of this risk. Additionally, user education must impart the risks of transmitting sensitive data over SMS. More broadly, the threat to organizations that operate at critical information junctures will only increase as the incentives for determined nation-state actors to obtain data that directly support key geopolitical interests remains.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.