New GTPDOOR Malware Exploits GPRS Threatening Telecom

Researchers have detected a new Linux malware in the wild threatening the telecom industry. The malware, identified as GPTDOOR, exploits GPRS protocol to receive C&C commands. While the malware seems new, it belongs to LightBasin – a threat actor group already known for targeting the telecom sector.

GTPDOOR Malware Exploits GPRS Roaming

According to a recent post from the security researcher with alias haxrob, a new Linux malware “GTPDOOR” has emerged as the latest threat for the telecommunication sector. The threat actors behind the campaign intend to target the telecommunication networks by deploying this malware on the target network systems adjacent to the GRX (GRPS eXchange Network).

The malware is so named given its functionality to communicate with its C&C via GTP-C (GPRS Tunnelling Protocol – Control Plane) signaling messages. Besides, this malware also resembles another known Linux malware “BPFDOOR” in that both malware use the “port knocking / magic packet” technique; however, the latter utilizes BFP/pcap filters instead of GTP-C.

Once deployed, the malware helps the attacker gain persistent access to the target roaming exchange network and contact a compromised host by sending malicious GTP-C Echo Request messages. These messages transmit the command to be executed on the target system via magic packet and send the output to the remote host.

Explaining the malware functions, the researcher stated that this malware seems to have been designed in a way to be placed directly on the GRX network. This feature enables the adversary to maintain direct access to the target telco’s core network and execute functions requiring direct GRX network connectivity.

The researcher presented a detailed technical analysis of this malware in the post and shared the detection strategies. Besides, the researcher also advised using GTP firewalls that could detect malicious GTP packets and prevent malware activity.

Regarding the threat actors behind GTPDOOR, the researcher traced the link to the notorious LightBasin group. This threat actor group first became known in 2021, when CrowdStrike researchers found them targeting the telecom sector with Linux malware.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients