MESSAGETAP is a data mining malware family deployed by APT41 into telecommunications networks to monitor and save SMS traffic from specific phone numbers, IMSI numbers, or that contain specific keywords. [1]

ID: S0443
Platforms: Linux
Version: 1.0
Created: 11 May 2020
Last Modified: 24 June 2020

Techniques Used

Domain ID Name Use
Enterprise T1560 .003 Archive Collected Data: Archive via Custom Method

MESSAGETAP has XOR-encrypted and stored contents of SMS messages that matched its target list. [1]

Enterprise T1119 Automated Collection

MESSAGETAP checks two files, keyword_parm.txt and parm.txt, for instructions on how to target and save data parsed and extracted from SMS message data from the network traffic. If an SMS message contained either a phone number, IMSI number, or keyword that matched the predefined list, it is saved to a CSV file for later theft by the threat actor.[1]

Enterprise T1074 .001 Data Staged: Local Data Staging

MESSAGETAP stored targeted SMS messages that matched its target list in CSV files on the compromised system.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

After checking for the existence of two files, keyword_parm.txt and parm.txt, MESSAGETAP XOR decodes and read the contents of the files. [1]

Enterprise T1083 File and Directory Discovery

MESSAGETAP checks for the existence of two configuration files (keyword_parm.txt and parm.txt) and attempts to read the files every 30 seconds.[1]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

Once loaded into memory, MESSAGETAP deletes the keyword_parm.txt and parm.txt configuration files from disk. [1]

Enterprise T1040 Network Sniffing

MESSAGETAP uses the libpcap library to listen to all traffic and parses network protocols starting with Ethernet and IP layers. It continues parsing protocol layers including SCTP, SCCP, and TCAP and finally extracts SMS message data and routing metadata. [1]

Enterprise T1049 System Network Connections Discovery

After loading the keyword and phone data files, MESSAGETAP begins monitoring all network connections to and from the victim server. [1]

Groups That Use This Software

ID Name References
G0096 APT41