Threat hunters have discovered a new Linux malware called GTPDOOR designed to be deployed in telecommunications networks adjacent to GPRS roaming exchanges (GRX)
The malware is innovative in that it uses the GPRS Tunneling Protocol (GTP) for command and control (C2) communications.
GPRS roaming allows subscribers to access their GPRS services while out of range of their home mobile network. This is facilitated by means of a GRX which carries roaming traffic using GTP between the visited public land mobile network (PLMN) and the home network.
Security researcher haxrob, who discovered two GTPDOOR artifacts uploaded to VirusTotal from China and Italy, said that the backdoor is likely linked to a well-known threat actor tracked as LightBasin (also known as UNC1945), which had previously been disclosed by CrowdStrike in October 2021 in connection with a series of attacks against the telecommunications industry to steal subscriber information and call metadata.
“When executed, the first thing GTPDOOR does is process-name kicks in, changing the process name to ‘[syslog]’ – masquerading as syslog invoked by the kernel,” the researcher said. “Suppresses child signals and thus opens a raw socket [that] will allow the facility to receive UDP messages reaching the network interfaces.”
In other words, GTPDOOR allows a threat actor who has already established persistence on the roaming exchange network to contact a compromised host by sending GTP-C Echo Request messages with a malicious payload.
This magical GTP-C Echo Request message acts as a channel to broadcast a command to execute on the infected machine and return the results to the remote host.
GTPDOOR “It can be covertly probed by an external network to get a response by sending a TCP packet to any port number,” the researcher noted. “If the facility is active, a crafted blank TCP packet is returned along with information whether the destination port was open/responding on the host.”
“It appears that this facility is designed to reside on compromised hosts that directly touch the GRX network – these are the systems that communicate with the networks of other telecom operators via GRX.”