GTPDOOR Malware: A Threat Targeting Telecoms, Exploiting GPRS Roaming Networks

Malware Attack

Security researchers have uncovered a new Linux malware named GTPDOOR, tailored to infiltrate telecom networks adjacent to GPRS roaming exchanges (GRX). Unlike typical malware, GTPDOOR employs the GPRS Tunnelling Protocol (GTP) for command-and-control (C2) communications, a novel approach in malware tactics.

GPRS roaming enables subscribers to access GPRS services outside their home network, facilitated by GRX, which uses GTP to transport roaming traffic between visited and home networks. Haxrob, the security researcher, found GTPDOOR artifacts uploaded to VirusTotal from China and Italy, linking the malware to the LightBasin threat actor, known for targeting telecom sectors to pilfer subscriber data and call metadata.

Upon execution, GTPDOOR conceals itself by changing its process name and opens a raw socket to receive UDP messages, enabling remote communication. Specifically, it allows threat actors to send GTP-C Echo Request messages with malicious payloads to compromised hosts on the roaming exchange network, serving as a conduit for executing commands and receiving results remotely.

GTPDOOR can be discreetly probed from external networks by sending TCP packets to any port, eliciting a response if the implant is active. The malware is designed to operate on compromised hosts interfacing with the GRX network, enabling communication with other telecommunication operator networks.

In essence, GTPDOOR represents a significant threat to telecom networks, highlighting the evolving sophistication of malware targeting critical infrastructure. Vigilance and robust security measures are crucial to mitigate such threats and protect sensitive data and network integrity.