Threat Research

GTPDOOR – A novel backdoor tailored for covert access over the roaming exchange

Securonix

GTPDOOR is a Linux-based backdoor targeting telecommunication roaming networks near the GRX, using GTP-C signaling to blend its C2 traffic with normal network activity. The article details its functionality, two identified versions, attribution to UNC1945 / LightBasin (CrowdStrike), and defensive considerations for operators, including indicators and mitigation guidance. Hashtags: #GTPDOOR #GTP-C #GRX #UNC1945 #LightBasin #CrowdStrike #gtpdoor-scan #dnsd

Keypoints

  • GTPDOOR is designed to communicate C2 traffic over GTP-C signaling messages to blend in with GRX traffic.
  • The malware can execute remote commands and return output, effectively providing a reverse-shell capability.
  • A beaconing feature uses crafted TCP packets to reveal whether a host/port is open, signaling stealthy presence.
  • It authenticates/encrypts GTP payloads with a simple XOR cipher and supports rekeying to change keys.
  • It masquerades as a syslog kernel-thread process and uses raw sockets on UDP 2123 (GTP-C) for its operation.
  • Attributions point to UNC1945 / LightBasin (CrowdStrike), with prior use of GTP-encapsulated traffic by the actor.

MITRE Techniques

  • [T1095] Non-Application Layer Protocol – The malware uses GTP-C signaling for C2 and transmits command instructions inside GTP Echo Request messages. Quote: “…communicates C2 traffic over GTP-C signalling messages. …The command instruction is sent in the GTP Echo Request message along with the associated data.”
  • [T1036] Masquerading – Blends in to environment by changing its process name to look like syslog process invoked as a kernel thread. Quote: “Blends in to environment by changing it’s process name to look like syslog process invoked as a kernel thread.”
  • [T1059.004] Unix Shell – Executes commands on the host via a shell and returns output to the remote client (reverse shell type). Quote: “Executes a command on the host which is specified in the magic packet and returns the output to the remote host, supporting a “reverse shell” type functionality.”

Indicators of Compromise

  • [Hash] context – 827f41fc1a6f8a4c8a8575b3e2349aeaba0dfc2c9390ef1cceeef1bb85c34161, 5cbafa2d562be0f5fa690f8d551cdb0bee9fc299959b749b99d44ae3fda782e4 (SHA-256 hashes of identified binaries dbus-echo and pickup)
  • [Filename] context – dbus-echo (Version 1 binary), pickup (Version 2 binary)
  • [Process] dnsd – original C source filename observed in binaries/screenshots
  • [File] context – system.conf (config file written by the malware)
  • [Mutex] context – /var/run/daemon.pid (PID mutex used by version 2)
  • [Port] context – UDP 2123 (GTP-C) used for UDP raw-socket listener
  • [URL] context – https://github.com/haxrob/gtpdoor-scan/ (Active GTPDOOR network scanner)

Read more: https://doubleagent.net/telecommunications/backdoor/gtp/2024/02/27/GTPDOOR-COVERT-TELCO-BACKDOOR

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint