Skip to content Skip to footer

New Linux Malware GTPDOOR Uses GPRS Protocol for Telecom Network Attacks

Threat hunters have discovered a new called GTPDOOR that's designed to be deployed in telecom networks that are adjacent to GPRS roaming exchanges (GRX)

The malware is novel because it leverages the GPRS Tunnelling Protocol (GTP) for (C2) communications.

GPRS roaming allows subscribers to access their GPRS services while they are beyond the reach of their home mobile network. This is facilitated using a GRX that transports the roaming traffic using GTP between the visited and the home Public Land Mobile Network (PLMN).

Security researcher haxrob, who discovered two GTPDOOR artifacts uploaded to VirusTotal from and Italy, said the is likely linked to a known tracked as LightBasin (aka UNC1945), which CrowdStrike previously disclosed in October 2021 in connection with a series of attacks targeting the telecom sector to steal subscriber information and call metadata.

“When run, the first thing GTPDOOR does is process-name stomps itself – changing its process name to ‘[syslog]' – disguised as syslog invoked from the kernel,” the researcher said. “It suppresses child signals and then opens a raw socket [that] will allow the implant to receive UDP messages that hit the network interfaces.”

Put differently, GTPDOOR allows a with established persistence on the roaming exchange network to contact a compromised host by sending GTP-C Echo Request messages with a malicious payload.

This magic GTP-C Echo Request message acts as a conduit to transmit a command to be executed on the infected machine and return the results to the remote host.

GTPDOOR “Can be covertly probed from an external network to elicit a response by sending a TCP packet to any port number,” the researcher noted. “If the implant is active a crafted empty TCP packet is returned along with information if the destination port was open/responding on the host.”

“This implant looks like it is designed to sit on compromised hosts that directly touch the GRX network – these are the systems that communicate to other telecommunication operator networks via the GRX.”

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

We exist without nationality, skin color, or religious bias.Agent Bob

Deitasoft © 2024. All Rights Reserved.