New Linux Threat: GTPDOOR Backdoor Spies on Networks

Researchers have unveiled a novel menace targeting telecommunications networks: the cunning Linux-based backdoor, GTPDOOR, exploiting GPRS protocol vulnerabilities to clandestinely monitor infected devices. This malevolent software, linked to the notorious hacking collective LightBasin previously implicated in attacks on the telecom sector, enables perpetrators to stealthily exfiltrate sensitive subscriber data and call metadata. GTPDOOR’s distinctiveness lies in its utilization of the GTP protocol for communication with command servers, exerting control over compromised devices.

GPRS roaming facilitates subscribers’ access to mobile internet abroad through GRX switching centers that transmit traffic between roaming networks of different operators via GTP. Protocol vulnerabilities inflict damage on both users and providers alike.

Cybersecurity specialist haxrob discovered two instances of GTPDOOR backdoor uploaded to VirusTotal from China and Italy, attributing its likely association with the LightBasin group. CrowdStrike had previously documented the gang’s exploitation of GTP protocol and GPRS roaming flaws for surveillance and data theft.

Upon execution, GTPDOOR disguises itself as a system process, syslog, initiated by the kernel, blocking signals from other processes and opening a raw socket to receive network packets via the UDP protocol.

GTPDOOR facilitates an attacker, who has already accessed the GRX network, to communicate with the infected host by sending specialized GTP-C Echo Request packets containing malicious payloads. These packets serve as a conduit for executing commands and returning results to the remote host.

GTPDOOR adeptly gathers information on infected systems unobtrusively, responding to specific external network queries. Hackers send TCP packets to various ports on the victim’s computer, analyzing the responses to discern which ports are open or closed.

Thus, attackers can identify active network services and functions on compromised machines, acquiring valuable intelligence before further assaults. Experts believe GTPDOOR specifically targets communication operators’ servers directly connected to the GPRS network core. Infection of these critical infrastructures could lead to widespread data breaches and operational disruptions.