GTPDOOR Linux Malware Targets Telecoms, Exploiting GPRS Roaming Networks

The GTPDOOR is a newly discovered Linux malware specifically crafted to infiltrate telecom networks located near GPRS roaming exchanges. What sets it apart is its utilization of the GPRS Tunneling Protocol (GTP) for C2 communication, making it distinct from other malware strains.

Security researcher haxrob, who detected two instances of the GTPDOOR uploaded to VirusTotal from China and Italy, suspects a connection to the LightBasin threat actor, also known as UNC1945. This group was previously identified by CrowdStrike for targeting the telecom sector to pilfer subscriber data and call metadata.

Upon execution, GTPDOOR camouflages itself as syslog, a standard logging utility, and establishes a raw socket to intercept UDP messages on network interfaces. This allows malware to receive GTP-C Echo Request messages with a malevolent payload, effectively serving as a means for attackers to remotely command compromised hosts within the GRX network. These commands can be executed on infected machines, and the results are transmitted back to the attackers via the same communication channel.

Security Officer Comments:
Notably, the GTPDOOR can covertly respond to external probing attempts by sending crafted TCP packets, indicating its presence and potentially revealing information about the host’s status. This behavior suggests that GTPDOOR is tailored to compromise hosts directly involved in the GRX network, which facilitates communication between different telecommunication operator networks.

Suggested Corrections:
Researchers recommend the following defense mitigations:

  • The inbound UDP port is required to be open for systems that require it on the GRX network. Firewall rules should be explicit enough to drop these packets inbound for any system that does not use the GTP protocol
  • Aggressive rules to block inbound TCP connections via the GRX - There is not alot that actually needs to be open
  • Probe TCP packets with RST/ACK flag set could be dropped on the GRX firewall