The security community has unveiled details surrounding a sophisticated Linux backdoor, identified as GTPDOOR, which targets telecommunications carrier networks. This malicious software, discovered by the researcher known as HaxRob, represents a significant threat to global communication systems, utilizing an innovative command and control (C2) transport protocol based on the GPRS Tunnelling Protocol (GTP).
Method of Operation
GTPDOOR employs the GPRS Tunnelling Protocol (GTP) for its communication, distinguishing itself by using GTP-C signaling messages—typically reserved for control plane activities in mobile networks—to remain undetected within telecom infrastructure. The malware awaits a specific “magic” wakeup packet, specifically a GTP-C echo request message, to activate. This approach allows it to evade detection by not requiring active listening sockets or services, as it intercepts incoming UDP packets directly via a raw socket.
Once activated, GTPDOOR can execute commands and deploy a reverse shell, wrapping requests and responses within GTP_ECHO_REQUEST and GTP_ECHO_RESPONSE messages. Remarkably, it can also be covertly probed from an external network, sending back a specially crafted TCP packet as a signal of its presence, further complicating detection efforts.
I recently found two very interesting Linux binaries uploaded to Virustotal.
I call this malware 'GTPDOOR'.
GTPDOOR is a 'magic/wakeup' packet backdoor that uses a novel C2 transport protocol: GTP (GPRS Tunnelling Protocol), silently listening on the GRX network (1/n) 🧵 pic.twitter.com/IwuEcL14lx
— HaxRob (@haxrob) February 28, 2024
Attribution and Impact
Cybersecurity experts attribute GTPDOOR to Light Basin, also known as UNC1945, a threat group linked to China with a history of targeting telecommunications entities. This group's deep knowledge of telecom network architectures has enabled the deployment of specialized tools to access sensitive data, including call records and text messages. The discovery of GTPDOOR, with binaries uploaded to VirusTotal from Italy and China showing a low detection rate, underscores the ongoing sophisticated threat landscape facing global telecommunications.
The malware's design targets outdated Red Hat Linux machines, highlighting vulnerabilities in legacy systems still operational within telecom networks. By mimicking legitimate processes, such as the syslog process, and requiring minimal adjustments to ingress firewall configurations, GTPDOOR exemplifies the stealth and sophistication of modern cyber threats and the necessity for ongoing vigilance and up-to-date security practices.
In response to this discovery, cybersecurity professionals have already begun developing and distributing Yara rules for detecting GTPDOOR's presence, signaling the security community's proactive steps in combating this threat. As telecommunications networks form the backbone of global communications, the emergence of tools like GTPDOOR poses significant risks, necessitating comprehensive security strategies to protect against such advanced cyber espionage activities.