In the shadowy corridors of cyberspace, a new digital specter has emerged, casting a long shadow over the telecommunications realm. Dubbed GTPDOOR, this Linux-based malware has been crafted with precision to infiltrate the networks that skirt the edges of the GPRS Roaming Exchanges (GRX), a critical juncture in the world of mobile communications.
At its core, GTPDOOR is an enigma, utilizing the GPRS Tunnelling Protocol (GTP) not just as a means of traversal but as its command-and-control (C2) lifeline. This strategic choice is no mere coincidence; it taps into the very heart of GPRS roaming, a service that ensures mobile users remain connected, even when they wander far from their home network’s embrace. Through the GRX, a digital bridge of sorts, roaming traffic flows freely, connecting visitors to their home turf via the GTP.
The discovery of GTPDOOR came to light thanks to the keen eye of haxrob, a sentinel in the digital watchtower. Unearthing two distinct artifacts of this malware, originating from the distant lands of China and Italy, haxrob has linked this digital intruder to the shadowy collective known as LightBasin (or UNC1945), a name that echoes ominously through the halls of cybersecurity following CrowdStrike’s revelations in October 2021. LightBasin’s legacy is one of stealth and subterfuge, with a penchant for pilfering subscriber data and call records from the unsuspecting telecom sector.
Upon activation, GTPDOOR reveals its cunning nature. It adopts a chameleon-like guise, masquerading as ‘[syslog]’, a benign process, thereby evading the prying eyes of system administrators. Its modus operandi involves silencing the echoes of child processes and crafting a raw socket—a digital ear, if you will—attuned to the whispers of UDP messages that caress the network’s interfaces.
But the true sorcery of GTPDOOR lies in its ability to beckon its masters through a unique incantation: a GTP-C Echo Request message, imbued with a malicious payload. This digital spell serves as a bridge, carrying commands across the ether to be executed in the shadows of the infected host, with the results spirited away to the remote conjurer.
Moreover, GTPDOOR harbors a secret handshake, a covert signal that can be broadcast from the beyond, enticing a response with but a TCP packet sent to any port. The malware, ever vigilant, responds with an empty packet, a silent nod indicating whether the coast is clear.
Thus, GTPDOOR stands sentinel on the compromised bastions that graze the GRX network, a silent guardian in the service of its unseen masters, facilitating a shadowy dialogue between the worlds of telecommunication.
