GTPDOOR Malware targets telecom networks!

Security researchers have uncovered a new Linux malware named GTPDOOR, specifically crafted to infiltrate telecom networks adjacent to GPRS roaming exchanges (GRX).

What distinguishes GTPDOOR is its ingenious use of the GPRS Tunnelling Protocol (GTP) for command-and-control (C2) communications, a novel approach in the realm of malware.

GPRS roaming enables subscribers to access their GPRS services even when they are outside their home mobile network’s coverage area, facilitated by GRX, which transports roaming traffic via GTP between visited and home Public Land Mobile Networks (PLMNs). Haxrob, a security researcher, discovered two GTPDOOR artifacts uploaded to VirusTotal, originating from China and Italy. He suggests a connection to the notorious threat actor LightBasin (aka UNC1945), previously linked to attacks on the telecom sector aimed at stealing subscriber data and call metadata.

Upon execution, GTPDOOR disguises itself by changing its process name to ‘[syslog]’ and opens a raw socket, enabling it to receive UDP messages on network interfaces. This allows threat actors with established persistence on the roaming exchange network to contact compromised hosts by sending GTP-C Echo Request messages containing malicious payloads. These messages serve as conduits for executing commands on infected machines and transmitting results back to remote hosts.

An intriguing feature of GTPDOOR is its responsiveness to external network probing. By sending TCP packets to any port number, an external entity can covertly elicit a response from the implant. If active, the implant returns a crafted empty TCP packet along with information about the host’s port status.

The malware appears tailored to compromised hosts directly interfacing with the GRX network, which are crucial for communication with other telecommunication operator networks via GRX. This strategic placement within the network infrastructure suggests a targeted and sophisticated approach by threat actors, emphasizing the importance of robust security measures in telecom environments.

GTPDOOR malware

In summary, GTPDOOR represents a significant advancement in malware tactics, leveraging GTP for C2 communications and posing a serious threat to telecom networks, particularly those handling roaming traffic. Its stealthy behavior and adaptability underscore the need for vigilant monitoring and proactive defense measures to thwart such sophisticated cyber threats.