GTPDOOR - Previously Unknown Linux Malware Attack Telecom Networks

A new backdoor has been discovered which uses GTP-C (GPRS Tunnelling Protocol – Control Plane) signaling messages for communicating with the C2 server. This backdoor is linux-based and has been named as “GTPDOOR”. Moreover, this backdoor is intended to be deployed on systems in Telecommunication networks.

The threat actor who has deployed this backdoor can access a compromised host by sending a GTP-C Echo request messages with malicious payloads, thereby executing remote commands on the systems. GRX (GPRS eXchange Network) packets are already permitted to be used in systems which are utilized by this backdoor to hide the C2 traffic inside legitimate traffic.

Technical Analysis

According to the reports shared with Cyber Security News, the GTP protocol is mostly used by UNC1945 / LightBasin threat actor who use it to hide tinyshell traffic in a valid PDP (Packet Data Protocol) session by using a SGSN (Serving GPRS Support Node). 

Persistence established by threat actor (Source: Double Agent)

The GTPDOOR specifically uses GTP-C echo request/response messages and filters on UDP and GTP header values using simple cmp instructions. This backdoor could be placed anywhere required, which could offer more access to telecommunication’s core network. 

However, if the GRX firewall is not configured properly, this backdoor could be implanted within the internal core network.

Background

The connectivity between the telecommunication network operators around the globe is established using a “closed” network which provides the interconnectivity between multiple systems. However, the network elements have direct connectivity to the GRX network for routing or forwarding roaming related signals and user plane traffic.

These systems include,

  • eDNS – External DNS to resolve APN names
  • SGSN, GGSN (Gateway GPRS Support Node) – 2G/3G packet core network elements
  • P-GW (Packet Data Network Gateway) – 4G version of GGSN
  • STP (Signal Transfer Point) – Signaling gateways for SS7 signaling
  • DRA (Diameter Routing Agent) – 4G version of STP but the signaling is over diameter.

Summary of the Functionality

Initially, the GTPDOOR listens for “magic” GTP-C echo request messages. All the UDP packets are received into the user space via opening a new socket, hence the host does not need a listening socket or service.

When the “magic” packet is received, the GTPDOOR executes the command mentioned in the packet and returns the output to the remote host. Moreover, the traffic can be probed from an external network by sending TCP packets to any port number.

GTPDOOR can also authenticate and encrypt contents of the magic GTP packet messages using a simple XOR cipher. This prevents the use of the hardcoded key from being used by other threat actors. 

In addition to this, the backdoor also blends in by changing its process name to look like a syslog process which is initiated by the kernel thread. The backdoor does not need firewall changes if the target host is allowed to communicate via GTP-C port.

Two versions of GTPDOOR

There were two versions of this backdoor that were identified under the names dbus-echo and pickup. Both of these samples were discovered to be uploaded to VirusTotal in late 2023. The first version had 1 detection while the second version did not have any detections.

Version 1 Detection result in VirusTotal (Source: Double Agent)

Version 2 Detection result in VirusTotal (Source: Double Agent)

However, both of the samples were targeting Linux distribution “Red Hat Linux 4.1” specifically.  The command instructions of the magic packet message type data can be found below.

GTPDOOR v1

Message TypeFunctionPayload
0x01Set new encryption keyNew key
0x02Write data to system.confFile content
0x03 – 0xFFExecute command and return outputShell command to run

GTPDOOR v2

Message TypeFunctionPayload
0x01Set new encryption keyNew key value
0x02Write arbitrary data to system.confFile content
0x03,0x04,0x08-0xFFExecute command and return outputShell command to run
0x05IP address or subnet to access control list.Multiple subnets or single IPs (/32) can be separated by a comma, e.g. 192.168.0.1/24,10.0.0.1
0x06Return ACL list 
0x07Clear ACL 

Leave A Comment

Receive the latest news in your email
Table of content
Related articles