GTPDOOR Malware Targets Linux Systems

Cyber investigators have detected a newly identified Linux malware named GTPDOOR, specifically engineered for deployment in proximity to GPRS roaming exchanges (GRX) within telecom networks. Notably, this malware distinguishes itself by utilizing the GPRS Tunnelling Protocol (GTP) for its command-and-control (C2) communications.

GPRS roaming facilitates subscribers in accessing GPRS services outside their home mobile network coverage area, achieved through a GRX transporting roaming traffic via GTP between the visited and home Public Land Mobile Network (PLMN).

Security researcher haxrob, who uncovered two GTPDOOR artifacts uploaded to VirusTotal from China and Italy, suggests a probable connection between the backdoor and a known threat actor named LightBasin (aka UNC1945). CrowdStrike disclosed this actor in October 2021 for orchestrating attacks on the telecom sector to pilfer subscriber information and call metadata.

GTPDOOR in Action

Upon execution, GTPDOOR initiates a process-name modification, disguising itself as '[syslog]' invoked from the kernel. It then suppresses child signals and establishes a raw socket, enabling the implant to receive UDP messages impacting the network interfaces.

In essence, GTPDOOR allows a threat actor with established persistence on the roaming exchange network to communicate with a compromised host by sending GTP-C Echo Request messages containing a malicious payload. This specialized GTP-C Echo Request message functions as a conduit to convey commands for execution on the infected machine, transmitting the results back to the remote host.

The researcher highlights that GTPDOOR can be discreetly probed from an external network, eliciting a response by sending a TCP packet to any port number. If the implant is active, a crafted empty TCP packet is returned, along with information on whether the destination port was open or responding on the host.

By Zaib
March 5, 2024
Computer Security
English
March 5, 2024
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

19 days ago

Pinaview is a Fully-Featured Adware App

11 months ago

'American Express - Update Your Account Information' Email Scam

6 months ago

Related Posts

Malware

Beware: Shikitega Malware Targets Linux Systems

Shikitega is the name of a newly discovered piece of malware targeting devices that run Linux, specifically IoT devices and endpoints. The malware comes with a complex, multi-step infection chain and includes a... Read more

September 8, 2022
Computer Security

New Strain of Malware Targets Linux Systems

After months of infotech news focusing primarily on Windows-based ransomware and other threats, October brings a new strain of malware that targets Linux-based systems for a change. The malware in question is believed... Read more

October 11, 2021
Malware

Indestroyer2 Malware Targets Ukrainian Industrial Control Systems

Indestroyer2 Malware is a malicious piece of software, which has been employed in attacks against Ukraine-based Industrial Control Systems (ICS.) The goal of the attackers is to take down important targets operating... Read more

April 13, 2022
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.