Risk hunters have found a brand new Linux malware referred to as GTPDOOR that is designed to be deployed in telecom networks which might be adjoining to GPRS roaming exchanges (GRX)
The malware is novel in the truth that it leverages the GPRS Tunnelling Protocol (GTP) for command-and-control (C2) communications.
GPRS roaming permits subscribers to entry their GPRS companies whereas they’re past the attain of their house cell community. That is facilitated by the use of a GRX that transports the roaming visitors utilizing GTP between the visited and the house Public Land Cellular Community (PLMN).
Safety researcher haxrob, who found two GTPDOOR artifacts uploaded to VirusTotal from China and Italy, stated the backdoor is probably going linked to a identified menace actor tracked as LightBasin (aka UNC1945), which was beforehand disclosed by CrowdStrike in October 2021 in reference to a collection of assaults concentrating on the telecom sector to steal subscriber info and name metadata.
“When run, the very first thing GTPDOOR does is process-name stomps itself – altering its course of title to ‘[syslog]’ – disguised as syslog invoked from the kernel,” the researcher stated. “It suppresses baby alerts after which opens a uncooked socket [that] will enable the implant to obtain UDP messages that hit the community interfaces.”
Put in a different way, GTPDOOR permits a menace actor that already has established persistence on the roaming trade community to contact a compromised host by sending GTP-C Echo Request messages with a malicious payload.
This magic GTP-C Echo Request message acts as a conduit to transmit a command to be executed on the contaminated machine and return the outcomes again to the distant host.
GTPDOOR “Will be covertly probed from an exterior community to elicit a response by sending a TCP packet to any port quantity,” the researcher famous. “If the implant is energetic a crafted empty TCP packet is returned together with info if the vacation spot port was open/responding on the host.”
“This implant appears to be like like it’s designed to sit down on compromised hosts that instantly contact the GRX community – these are the methods that talk to different telecommunication operator networks through the GRX.”
