A new backdoor has been discovered which uses GTP-C (GPRS Tunnelling Protocol – Control Plane) signaling messages for communicating with the C2 server. This backdoor is linux-based and has been named as “GTPDOOR”. Moreover, this backdoor is intended to be deployed on systems in Telecommunication networks.
The threat actor who has deployed this backdoor can access a compromised host by sending a GTP-C Echo request messages with malicious payloads, thereby executing remote commands on the systems. GRX (GPRS eXchange Network) packets are already permitted to be used in systems which are utilized by this backdoor to hide the C2 traffic inside legitimate traffic.
Technical Analysis
According to the reports shared with Cyber Security News, the GTP protocol is mostly used by UNC1945 / LightBasin threat actor who use it to hide tinyshell traffic in a valid PDP (Packet Data Protocol) session by using a SGSN (Serving GPRS Support Node).
Persistence established by threat actor (Source: Double Agent)
The GTPDOOR specifically uses GTP-C echo request/response messages and filters on UDP and GTP header values using simple cmp instructions. This backdoor could be placed anywhere required, which could offer more access to telecommunication’s core network.
However, if the GRX firewall is not configured properly, this backdoor could be implanted within the internal core network.
Background
The connectivity between the telecommunication network operators around the globe is established using a “closed” network which provides the interconnectivity between multiple systems. However, the network elements have direct connectivity to the GRX network for routing or forwarding roaming related signals and user plane traffic.
These systems include,
- eDNS – External DNS to resolve APN names
- SGSN, GGSN (Gateway GPRS Support Node) – 2G/3G packet core network elements
- P-GW (Packet Data Network Gateway) – 4G version of GGSN
- STP (Signal Transfer Point) – Signaling gateways for SS7 signaling
- DRA (Diameter Routing Agent) – 4G version of STP but the signaling is over diameter.
Summary of the Functionality
Initially, the GTPDOOR listens for “magic” GTP-C echo request messages. All the UDP packets are received into the user space via opening a new socket, hence the host does not need a listening socket or service.
When the “magic” packet is received, the GTPDOOR executes the command mentioned in the packet and returns the output to the remote host. Moreover, the traffic can be probed from an external network by sending TCP packets to any port number.
GTPDOOR can also authenticate and encrypt contents of the magic GTP packet messages using a simple XOR cipher. This prevents the use of the hardcoded key from being used by other threat actors.
In addition to this, the backdoor also blends in by changing its process name to look like a syslog process which is initiated by the kernel thread. The backdoor does not need firewall changes if the target host is allowed to communicate via GTP-C port.
Two versions of GTPDOOR
There were two versions of this backdoor that were identified under the names dbus-echo and pickup. Both of these samples were discovered to be uploaded to VirusTotal in late 2023. The first version had 1 detection while the second version did not have any detections.
Version 1 Detection result in VirusTotal (Source: Double Agent)
Version 2 Detection result in VirusTotal (Source: Double Agent)
However, both of the samples were targeting Linux distribution “Red Hat Linux 4.1” specifically. The command instructions of the magic packet message type data can be found below.
GTPDOOR v1
Message Type | Function | Payload |
0x01 | Set new encryption key | New key |
0x02 | Write data to system.conf | File content |
0x03 – 0xFF | Execute command and return output | Shell command to run |
GTPDOOR v2
Message Type | Function | Payload |
0x01 | Set new encryption key | New key value |
0x02 | Write arbitrary data to system.conf | File content |
0x03,0x04,0x08-0xFF | Execute command and return output | Shell command to run |
0x05 | IP address or subnet to access control list. | Multiple subnets or single IPs (/32) can be separated by a comma, e.g. 192.168.0.1/24,10.0.0.1 |
0x06 | Return ACL list | |
0x07 | Clear ACL |