Skip to content

S0443 MESSAGETAP

MESSAGETAP is a data mining malware family deployed by APT41 into telecommunications networks to monitor and save SMS traffic from specific phone numbers, IMSI numbers, or that contain specific keywords. 1

Item Value
ID S0443
Associated Names
Type MALWARE
Version 1.0
Created 11 May 2020
Last Modified 24 June 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1560 Archive Collected Data -
enterprise T1560.003 Archive via Custom Method MESSAGETAP has XOR-encrypted and stored contents of SMS messages that matched its target list. 1
enterprise T1119 Automated Collection MESSAGETAP checks two files, keyword_parm.txt and parm.txt, for instructions on how to target and save data parsed and extracted from SMS message data from the network traffic. If an SMS message contained either a phone number, IMSI number, or keyword that matched the predefined list, it is saved to a CSV file for later theft by the threat actor.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging MESSAGETAP stored targeted SMS messages that matched its target list in CSV files on the compromised system.1
enterprise T1140 Deobfuscate/Decode Files or Information After checking for the existence of two files, keyword_parm.txt and parm.txt, MESSAGETAP XOR decodes and read the contents of the files. 1
enterprise T1083 File and Directory Discovery MESSAGETAP checks for the existence of two configuration files (keyword_parm.txt and parm.txt) and attempts to read the files every 30 seconds.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Once loaded into memory, MESSAGETAP deletes the keyword_parm.txt and parm.txt configuration files from disk. 1
enterprise T1040 Network Sniffing MESSAGETAP uses the libpcap library to listen to all traffic and parses network protocols starting with Ethernet and IP layers. It continues parsing protocol layers including SCTP, SCCP, and TCAP and finally extracts SMS message data and routing metadata. 1
enterprise T1049 System Network Connections Discovery After loading the keyword and phone data files, MESSAGETAP begins monitoring all network connections to and from the victim server. 1

Groups That Use This Software

ID Name References
G0096 APT41 12

References

  1. Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who’s Reading Your Text Messages?. Retrieved May 11, 2020. 

  2. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.