Security researcher HaxRob has discovered a previously unknown Linux backdoor called GTPDOOR that is designed to operate covertly within mobile carrier networks.
The threat actors behind GTPDOOR are believed to be targeting systems adjacent to GPRS roaming exchanges (GRXs), such as SGSNs, GGSNs and P-GWs, which give attackers direct access to telco core networks.
GRX is a component of mobile communications that enables data roaming services across different geographical areas and networks, while Serving GPRS Support Node (SGSN), Gateway GPRS Support Node (GGSN) and P-GW (Packet Data Network Gateway (for 4G LTE)) are components in a mobile operator’s network infrastructure, each of which plays a different role in mobile communications.
Because the IP address ranges of SGSN, GGSN and P-GW networks are publicly documented and publicly available, the researchers believe these networks are likely targets for initial access to mobile operators’ networks.
In his post, HaxRob explains that GTPDOOR is likely a tool belonging to the “LightBasin” threat group (UNC1945), which is notorious for its intelligence gathering operations targeting multiple telecommunications providers around the world.
Researchers found two versions of the backdoor uploaded to VirusTotal in late 2023, both of which were barely detected by antivirus engines. The binaries targeted very old versions of Red Hat Linux, suggesting they are outdated targets.
Stealth Operation GTPDOOR
GTPDOOR is an advanced backdoor malware customized for telecommunications networks, leveraging the GPRS Tunneling Protocol Control Plane (GTP-C) for covert command and control (C2) communications.
It is designed to be deployed on a Linux-based system adjacent to the GRX and is responsible for roaming-related signaling and routing and forwarding of user plane traffic.
Using GTP-C for communications allows GTPDOOR to blend into legitimate network traffic and utilize already allowed ports that aren’t monitored by standard security solutions. To further increase its stealth, GTPDOOR can change its process name to mimic legitimate system processes.
The malware wakes up by listening for specific GTP-C echo request messages (“magic packets”), then executes the specified command on the host and sends the output back to the operator.
Malicious Packet Structure (doubleagent.net)
The contents of the magic GTP packets are authenticated and encrypted using a simple XOR cipher, ensuring that only authorized operators have control over the malware.
GTPDOOR v1 supports the following operations on a compromised host:
Set a new encryption key to be used for C2 communications Write arbitrary data to a local file named ‘system.conf’ Execute arbitrary shell commands and return their output
In addition to the above operations, GTPDOOR v2 also supports the following operations:
Specify IP addresses or subnets that are allowed to communicate with the compromised host through the Access Control List (ACL) mechanism. Retrieve the ACL list to dynamically adjust the backdoor’s network permissions. Clear the ACL to reset the malware.
HaxRob also reveals that the malware is capable of silently sniffing from external networks and eliciting responses via TCP packets sent through any port.
GTPDOOR attack overview (doubleagent.net)
Detection and Prevention
Detection strategies include monitoring for specific malware indicators such as anomalous raw socket activity, unexpected process names, and duplicate syslog processes.
The recommended discovery procedure is as follows:
Use lsof to check for open raw sockets, which indicate a potential compromise. Use netstat -lp –raw to find unusual listening sockets. Identify processes that mimic kernel threads with unusual PPIDs. Search for the mutex file /var/run/daemon.pid used by GTPDOOR. Look for unexpected system.conf files that may have been created by malware. Unusual PIDs (doubleagent.net)
The following YARA rules are also provided to help defenders detect the GTPDOOR malware:
Finally, researchers suggest defensive measures such as GTP firewalls with strict rules and in compliance with GSMA security guidelines (1, 2) to block or filter malicious packets and connections.
