SYMBOLCOMMON_NAMEaka. SYNONYMS
elf.messagetap (Back to overview)

MESSAGETAP

Actor(s): APT41


MESSAGETAP is a 64-bit ELF data miner initially loaded by an installation script. It is designed to monitor and save SMS traffic from specific phone numbers, IMSI numbers and keywords for subsequent theft.

References
2020-09-10Kaspersky LabsGReAT
An overview of targeted attacks and APTs on Linux
Cloud Snooper Dacls DoubleFantasy MESSAGETAP Penquin Turla Tsunami elf.wellmess X-Agent
2020-06-16IntezerAviygayil Mechtinger
ELF Malware Analysis 101: Linux Threats No Longer an Afterthought
Cloud Snooper Dacls EvilGnome HiddenWasp MESSAGETAP NOTROBIN QNAPCrypt Winnti
2020-03-04CrowdStrikeCrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-03-03PWC UKPWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2019-11-19FireEyeKelli Vanderlee, Nalani Fraser
Achievement Unlocked: Chinese Cyber Espionage Evolves to Support Higher Level Missions
MESSAGETAP TSCookie ACEHASH CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT HIGHNOON HTran MimiKatz NetWire RC poisonplug Poison Ivy pupy Quasar RAT ZXShell
2019-10-31FireEyeDan Perez, Raymond Leong, Tyler Dean
MESSAGETAP: Who’s Reading Your Text Messages?
MESSAGETAP
2019-09-23MITREMITRE ATT&CK
APT41
Derusbi MESSAGETAP Winnti ASPXSpy BLACKCOFFEE CHINACHOPPER Cobalt Strike Derusbi Empire Downloader Ghost RAT MimiKatz NjRAT PlugX ShadowPad Winnti ZXShell APT41
Yara Rules
[TLP:WHITE] elf_messagetap_w0 (20191113 | Detects MESSAGETAP malware through strings)
rule elf_messagetap_w0 {
   meta:
      description = "Detects MESSAGETAP malware through strings"
      author = "Emanuele De Lucia"
      date = "2019-10-13"
	  tlp = "white"
	  malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.messagetap"
	  malpedia_version = "20191113"
	  malpedia_license = "CC BY-NC-SA 4.0"
	  malpedia_sharing = "TLP:WHITE"
   strings:
      $x1 = "%04d%02d%02d_%d.dump" fullword ascii
      $x2 = "%s_%04d%02d%02d.csv" fullword ascii
      $x3 = "%04d%02d%02d.csv" fullword ascii
      $s1 = "get message type fail" fullword ascii
      $s2 = "GetLen fail" fullword ascii
      $s3 = "GetType fail" fullword ascii
      $s4 = "Operation_Global_Code_tag TODO" fullword ascii
      $s5 = "mem alloc failed" fullword ascii
      $s6 = "tcap parse begin component fail" fullword ascii
      $s7 = "GCC: (SUSE Linux) 4.3.4 [gcc-4_3-branch revision 152973]" fullword ascii
      $s8 = "tcap parse begin Dialogue fail" fullword ascii
   condition:
      (uint16(0) == 0x457f and filesize < 200KB and (1 of ($x*) and 4 of ($s*) ) )
}
Download all Yara Rules