Stealthy GTPDOOR Linux Malware Targets Mobile Operator Networks

Security researcher HaxRob discovered a previously unknown Linux backdoor named GTPDOOR, designed for covert operations within mobile carrier networks. The threat actors behind GTPDOOR are believed to target systems adjacent to the GPRS roaming eXchange (GRX), such as SGSN, GGSN, and P-GW, which can provide the attackers direct access to a telecom's core network.

The GRX is a component of mobile telecommunications that facilitates data roaming services across different geographical areas and networks. While the Serving GPRS Support Node (SGSN), Gateway GPRS Support Node (GGSN), and P-GW (Packet Data Network Gateway (for 4G LTE) are components within a mobile operator's network infrastructure, each serving different roles in mobile communications.

As the SGSN, GGSN, and P-GW networks are more exposed to the public, with IP address ranges listed in public documents, the researcher believes they are the likely target for gaining initial access to the mobile operator's network. In his write-up, HaxRob explained that GTPDOOR is likely a tool belonging to the 'LightBasin' threat group (UNC1945), notorious for intelligence-collection operations targeting multiple telcos worldwide.

The researcher discovered two versions of the backdoor uploaded to VirusTotal in late 2023, both passing largely undetected by antivirus engines. The binaries targeted a very old Red Hat Linux version, indicating an outdated target.

GTPDOOR is a sophisticated backdoor malware tailored for telecommunications networks, leveraging the GPRS Tunnelling Protocol Control Plane (GTP-C) for covert command and control (C2) communications.

It is designed for deployment in Linux-based systems adjacent to the GRX, responsible for routing and forwarding roaming-related signaling and user plane traffic.

Using GTP-C for communication allows GTPDOOR to blend with legitimate network traffic and utilize already permitted ports that aren't monitored by standard security solutions. For additional stealth, GTPDOOR can change its process name to mimic legitimate system processes.

The malware listens for specific GTP-C echo request messages ("magic packets") to wake up and execute the given command on the host, sending the output back to its operators.

The contents of the magic GTP packets are authenticated and encrypted using a simple XOR cipher, ensuring that only authorized operators can control the malware.

GTPDOOR v1 supports the following operations on breached hosts:

  • Set a new encryption key used for C2 communications
  • Write arbitrary data to a local file named 'system.conf'
  • Execute arbitrary shell commands and send back the output

GTPDOOR v2 supports the above operations plus the following:

  • Specify IP addresses or subnets allowed to communicate with the compromised host through an Access Control List (ACL) mechanism.
  • Retrieve the ACL list to make dynamic adjustments to the backdoor's network permissions.
  • Clear ACL to reset the malware

HaxRob also highlights the malware's ability to be covertly probed from an external network, eliciting a response via a TCP packet passed through any port.

Security Officer Comments:
GTPDoor is a Linux backdoor specialized in allowing an attacker access to a telecom’s core network. GTPDoor stealthily blends in with other legitimate network traffic utilizing the Tunnelling Protocol Control Plane used in GPRS. This can put any advanced telecom communications used by businesses at risk of confidentiality breaches. Its evasiveness and stealth can allow it to remain undetected for a prolonged period of time while it gathers sensitive information about customers and/or employees unbeknownst to the business. The researcher, HaxRob suggests that the GTPDOOR tool belongs to the ‘LightBasin’ APT, who are suspected to be a Chinese espionage group known for their intelligence-collection operations. The malware remains dormant until the specific “magic packets” containing sensitive or useful information appear, likely to avoid detection for as long as possible. LightBasin often implements their own proprietary tools rather than using off-the-shelf tools.

Suggested Corrections:
Detection strategies involve monitoring for unusual raw socket activities, unexpected process names, and specific malware indicators such as duplicate syslog processes.

The recommended detection steps are the following:

  1. Check for open raw sockets with lsof, indicating a potential breach.
  2. Use netstat -lp --raw to find unusual listening sockets.
  3. Identify processes mimicking kernel threads with abnormal PPIDs.
  4. Search for /var/run/, a mutex file used by GTPDOOR.
  5. Look for an unexpected system.conf file, possibly created by the malware.

Defense measures such as GTP firewalls with strict rules and adherence to GSMA security guidelines (1, 2) can be used to block or filter out malicious packets and connections.