Home Latest Cyber Security News | Network Security Hacking New GTPDOOR Malware Exploits GPRS Threatening Telecom
Latest Cyber Security News | Network Security HackingNews

New GTPDOOR Malware Exploits GPRS Threatening Telecom

by Abeerah Hashim
written by Abeerah Hashim
LightBasin attackers target telecom sector via GTPDOOR malware

Researchers have detected a new Linux malware in the wild threatening the telecom industry. The malware, identified as GPTDOOR, exploits GPRS protocol to receive C&C commands. While the malware seems new, it belongs to LightBasin – a threat actor group already known for targeting the telecom sector.

GTPDOOR Malware Exploits GPRS Roaming

According to a recent post from the security researcher with alias haxrob, a new Linux malware “GTPDOOR” has emerged as the latest threat for the telecommunication sector. The threat actors behind the campaign intend to target the telecommunication networks by deploying this malware on the target network systems adjacent to the GRX (GRPS eXchange Network).

The malware is so named given its functionality to communicate with its C&C via GTP-C (GPRS Tunnelling Protocol – Control Plane) signaling messages. Besides, this malware also resembles another known Linux malware “BPFDOOR” in that both malware use the “port knocking / magic packet” technique; however, the latter utilizes BFP/pcap filters instead of GTP-C.

Once deployed, the malware helps the attacker gain persistent access to the target roaming exchange network and contact a compromised host by sending malicious GTP-C Echo Request messages. These messages transmit the command to be executed on the target system via magic packet and send the output to the remote host.

Explaining the malware functions, the researcher stated that this malware seems to have been designed in a way to be placed directly on the GRX network. This feature enables the adversary to maintain direct access to the target telco’s core network and execute functions requiring direct GRX network connectivity.

The researcher presented a detailed technical analysis of this malware in the post and shared the detection strategies. Besides, the researcher also advised using GTP firewalls that could detect malicious GTP packets and prevent malware activity.

Regarding the threat actors behind GTPDOOR, the researcher traced the link to the notorious LightBasin group. This threat actor group first became known in 2021, when CrowdStrike researchers found them targeting the telecom sector with Linux malware.

Let us know your thoughts in the comments.

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

You may also like

Multiple Vulnerabilities Found In Forminator WordPress Plugin

Palo Alto Networks Patched A Pan-OS Vulnerability Under...

Apple Removed Numerous Apps From China App Store

Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall...

Personal Data Exposed in Massive Global Hack: Understanding...

Guardz Welcomes SentinelOne as Strategic Partner and Investor...

Invision Community Vulnerabilities Risk E-Commerce Websites

Microsoft April Patch Tuesday Fixes Dozens of RCE...

Match Systems publishes report on the consequences of...

Cypago Announces New Automation Support for AI Security...