MESSAGETAP

MESSAGETAP is a malware tool utilized by APT41, an advanced persistent threat group associated with Chinese cyber espionage efforts. The malware was first reported to FireEye Threat Intelligence subscribers in August 2019 and publicly discussed at the FireEye Cyber Defense Summit the same year. It was discovered during an investigation at a telecommunications network provider within a cluster of Linux servers. Designed as a 64-bit ELF data miner, MESSAGETAP is initially loaded by an installation script and begins monitoring all network connections to and from the server once keyword and phone data files are loaded. The primary function of MESSAGETAP is to capture the contents of specific text messages. If any SMS messages contain certain keywords, the malware saves the message to a CSV file for later theft by the threat actor. This method enables large-scale targeting of sensitive text messages and call detail records, marking an evolution in Chinese cyber espionage campaigns. Notably, this version of MESSAGETAP seems less robust than instances identified in intrusions, suggesting it may represent an earlier test of the malware. Looking ahead, the use of MESSAGETAP underscores the evolving nature of cyber threats. As these threats become more sophisticated, understanding and mitigating them becomes increasingly critical. This case also highlights the importance of vigilance and proactive measures in cybersecurity, particularly for organizations that handle sensitive information. FireEye's identification and analysis of MESSAGETAP provide valuable insights into these evolving threats, contributing to ongoing efforts to enhance cybersecurity.