A security researcher has discovered a novel Linux backdoor named ‘GTPDOOR’ designed to target mobile carrier networks.
“GTPDOOR is the name of Linux based malware that is intended to be deployed on systems in telco networks adjacent to the GRX (GRPS eXchange Network) with the novel feature of communicating C2 traffic over GTP-C (GPRS Tunnelling Protocol - Control Plane) signalling messages. This allows the C2 traffic to blend in with normal traffic and to reuse already permitted ports that maybe open and exposed to the GRX network,” HaxRob explained in a blog post.
The researcher said that the new backdoor is likely the work of a threat actor tracked as UNC1945 (Mandiant) or LightBasin (CrowdStrike), known for its attacks against the telecommunications sector on a global scale.
Active since at least 2016, the treat actor leverages custom tools and has in-depth knowledge of telecommunications network architectures. LightBasin employs significant operational security (OPSEC) measures, primarily establishing implants across Linux and Solaris servers, with a particular focus on specific telecommunications systems, and only interacting with Windows systems as needed.
Telecommunication networks globally rely on a closed network infrastructure to facilitate interconnectivity between operators. Direct connectivity to the GRX network is crucial for routing roaming-related signaling and user plane traffic. Network elements such as eDNS, SGSN, GGSN, P-GW, STP, and DRA play vital roles in this ecosystem, facilitating packet switching, routing, authentication, and signaling traffic for various generations of cellular technology, HaxRob notes, explaining that this is where GTPDOOR could be implanted.
“That said, if the GRX firewall is not configured right, there would be opportunities to place this type of implant elsewhere, or even within the internal core network,” the researchers said.
A threat actor with established persistence on the roaming exchange network can use the GTPDOOR backdoor to engage with a compromised host by sending GTP-C Echo Request messages with a malicious payload. To date, two variants of this backdoor have been identified, which were uploaded to VirusTotal in late 2023 from Italy and China. Notably, both versions exhibited a very low detection rate. Both binaries were targeted for a particularly old Linux distribution, “Red Hat Linux 4.1,” the researcher said.