GTPDOOR Malware

Security analysts have identified a Linux malware named GTPDOOR, which is engineered explicitly for deployment within telecom networks proximate to GPRS roaming exchanges (GRX). Its innovative utilization of the GPRS Tunnelling Protocol (GTP) for Command-and-Control (C2) communications sets this malware apart. GPRS roaming enables subscribers to access their GPRS services when outside the coverage of their home mobile network. This is made possible through a GRX, which facilitates the transport of roaming traffic using GTP between the visited and home Public Land Mobile Network (PLMN).

Experts suspect that the GTPDOOR backdoor is potentially connected to a recognized threat actor, LightBasin (also known as UNC1945). This specific cybercriminal group has been linked to a string of attacks aimed at the telecommunications sector, with the objective of pilfering subscriber information and call metadata.

The GTPDOOR Malware Provides Illegal Acces to Cybercriminals

Upon execution, GTPDOOR initiates its operations by altering its process name to '[syslog],' masquerading as a syslog invoked from the kernel. It takes measures to suppress child signals and proceeds to open a raw socket, enabling the implant to intercept UDP messages directed at the network interfaces.

In essence, GTPDOOR provides an avenue for a threat actor with established persistence on the roaming exchange network to communicate with a compromised host. This communication is achieved by transmitting GTP-C Echo Request messages containing a harmful payload. The GTP-C Echo Request message serves as a conduit to send commands to be executed on the infected machine and relay the results back to the remote host.

GTPDOOR can be discreetly probed from an external network, triggering a response by sending a TCP packet to any port number. If the implant is active, it returns a crafted empty TCP packet, along with information about whether the destination port was open or responsive on the host.

This implant appears tailored to reside on compromised hosts directly connected to the GRX network – these are systems that communicate with other telecommunication operator networks via the GRX.

The GTPDOOR Malware Performs Several Threatening Actions Once Activated

GTPDOOR engages in various malicious activities, including listening for a specific wakeup packet, identified as a GTP-C echo request message (GTP type 0x01). Remarkably, the host doesn't necessitate active listening sockets or services, as all UDP packets are received into the user space through the opening of a raw socket. Additionally, GTPDOOR is designed to execute a command on the host specified in the magic packet, returning the output to the remote host and supporting a 'reverse shell' type functionality. Both requests and responses are transmitted as GTP_ECHO_REQUEST and GTP_ECHO_RESPONSE messages, respectively.

The implant can be discreetly probed from an external network, prompting a response by sending a TCP packet to any port number. If the implant is active, it returns a crafted empty TCP packet, providing information on whether the destination port was open or responsive on the host.

For security measures, GTPDOOR authenticates and encrypts the contents of magic GTP packet messages using a simple XOR cipher. At runtime, it can be instructed to change its authentication and encryption key through rekeying, preventing the default key hardcoded in the binary from being utilized by other threat actors. To blend into the environment, GTPDOOR changes its process name to resemble a syslog process invoked as a kernel thread. Importantly, it operates without requiring ingress firewall changes if the target host is permitted to communicate over the GTP-C port.