February 29, 2024 at 07:09AM
Threat hunters discovered a new Linux malware, GTPDOOR, designed for telecom networks near GPRS roaming exchanges. It uses GPRS Tunnelling Protocol for command-and-control communication. The backdoor is linked to known threat actor LightBasin targeting telecom sector for subscriber information theft. GTPDOOR allows contact with a compromised host and executing commands.
From the meeting notes, it’s clear that threat hunters have identified a new Linux malware named GTPDOOR. This malware is targeted at telecom networks adjacent to GPRS roaming exchanges and uses the GPRS Tunnelling Protocol (GTP) for command-and-control communications.
The GTPDOOR malware was discovered by security researcher haxrob, who found two artifacts uploaded to VirusTotal from China and Italy. The malware is thought to be linked to a known threat actor called LightBasin (aka UNC1945). This threat actor has previously been associated with attacks targeting the telecom sector to steal subscriber information and call metadata.
GTPDOOR functions as a backdoor that allows threat actors with established persistence on the roaming exchange network to contact a compromised host by sending GTP-C Echo Request messages with a malicious payload. The malware is designed to sit on compromised hosts that directly connect to the GRX network and communicate with other telecommunication operator networks via the GRX.
The first action GTPDOOR takes when run is to change its process name to ‘[syslog]’ as a disguise, and then it opens a raw socket to receive UDP messages that hit the network interfaces. This allows the implant to transmit a command to be executed on the infected machine and return the results to the remote host.
Additionally, the malware can be covertly probed from an external network to elicit a response by sending a TCP packet to any port number. If the implant is active, a crafted empty TCP packet is returned along with information showing if the destination port was open or responding on the host.
This information provides crucial insights into the behavior and impact of GTPDOOR, as well as the potential risks it poses to network security.