Pierluigi Paganini March 04, 2024

Researcher HaxRob discovered a previously undetected Linux backdoor named GTPDOOR, designed to target telecom carrier networks.

Security researcher HaxRob discovered a previously undetected Linux backdoor dubbed GTPDOOR, which is specifically crafted to carry out stealth cyber operations within mobile carrier networks.

The researcher believes that the threat actors behind GTPDOOR focuses on systems proximate to the GPRS Roaming eXchange (GRX), such as SGSN, GGSN, and P-GW. The threat actors are focusing on components because they can give an intruder a direct access to a core network of the target telecom carrier.

A GPRS roaming exchange (GRX) acts as a hub for General Packet Radio Service (GPRS) connections from roaming users, removing the need for a dedicated link between each GPRS service provider. It was developed to facilitate a more efficient way for operators to interconnect networks, and played a large part in the transition to third-generation systems.

HaxRob attributes the GTPDOOR backdoor to the China-linked APT group Light Basin threat group (aka UNC1945).

LightBasin targeted and compromised mobile telephone networks around the globe and used specialized tools to access calling records and text messages from telecommunications companies.

The cyberespionage group has been active since at least 2016, according to the CrowdStrike researchers it is using a very sophisticated toolset. CrowdStrike researchers reported that at least 13 telecommunication companies were compromised by since 2019.

In October 2021, CrowdStrike uncovered a campaign after the investigation of a series of security incidents in multiple countries. The cybersecurity firm added that the threat actors show an in-depth knowledge of telecommunication network architectures.

CrowdStrike article observed the threat actor using the GPRS Tunnelling Protocol (GTP) for encapsulating tinyshell traffic in a valid PDP context session. The APT group employed an SGSN emulator to tunnel traffic to an external GGSN in another operator’s network.

HaxRob reported that the GTPDOOR backdoor uses the GPRS Tunnelling Protocol (GTP) for C2 communications.

Here, GTPDOOR is leveraging not off a PDP context (GTP-U, userplane) but specific GTP-C signalling messages with it’s own extended message structure.

“GTPDOOR is the name of Linux based malware that is intended to be deployed on systems in telco networks adjacent to the GRX (GRPS eXchange Network) with the novel feature of communicating C2 traffic over GTP-C (GPRS Tunnelling Protocol – Control Plane) signalling messages. This allows the C2 traffic to blend in with normal traffic and to reuse already permitted ports that maybe open and exposed to the GRX network.” reads the analysis. “The following diagram illustrates a forseen use of GTPDOOR. Here the actor already has established persistence on the roaming exchange network and access a compromised host by sending GTP-C Echo Request messages with a malicious payload:”

GTPDOOR allows threat actor with established persistence on the roaming exchange network to communicate with a compromised host by transmitting GTP-C Echo Request messages containing a malicious payload.

The researcher discovered two versions of the backdoor uploaded to VirusTotal in late 2023, respectively from Italy and China. It is interesting to highlight that both versions had a very low detection rate (respectively 1/63 and 0/63) at the time of the uploading on VirusTotal.

Both binaries targeted a very old Red Hat Linux version.

GTPDOOR actively listens for a distinctive “magic” wakeup packet, a GTP-C echo request message (GTP type 0x01). The researcher pointed out that it doesn’t require active listening sockets or services, all UDP packets seamlessly find their way into the user space through a raw socket.

The backdoor supports multiple capabilities, including command execution and the deployment of a reverse shell. The malicious code encapsulates requests and responses within GTP_ECHO_REQUEST / GTP_ECHO_RESPONSE messages.

HaxRob explained that the GTPDOOR can be covertly probed from an external network by sending a TCP packet to any port number. If the implant is active, a specially crafted empty TCP packet is returned, accompanied by information regarding the host’s responsiveness.

GTPDOOR also supports authentication and encryption mechanisms.

To avoid detection, GTPDOOR changes its process name to mimic the syslog process invoked as a kernel thread. An intriguing aspect of GTPDOOR is its minimal impact on ingress firewall configurations. As long as the target host is authorized to communicate over the GTP-C port, GTPDOOR operates without necessitating significant firewall adjustments.

Below are the Detection actions recommended by the researcher:

• GTPDOOR can be identified by listing raw sockets open on the system, e.g. via lsof, looking for SOCK_RAW or raw.
• Process name stomped files that are disguised as kernel threads can be identified by their parent process not being kthreadd.
• The presence of the mutex /var/run/daemon.pid could be an indicator.
• The presence of the file system.conf could be an indicator

The researchers also shared Yara rules for this threat.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, backdoor)