Summary:
The GTPDOOR is a newly discovered Linux malware specifically crafted to infiltrate telecom networks located near GPRS roaming exchanges. What sets it apart is its utilization of the GPRS Tunneling Protocol (GTP) for C2 communication, making it distinct from other malware strains.

Security researcher haxrob, who detected two instances of the GTPDOOR uploaded to VirusTotal from China and Italy, suspects a connection to the LightBasin threat actor, also known as UNC1945. This group was previously identified by CrowdStrike for targeting the telecom sector to pilfer subscriber data and call metadata.

Upon execution, GTPDOOR camouflages itself as syslog, a standard logging utility, and establishes a raw socket to intercept UDP messages on network interfaces. This allows malware to receive GTP-C Echo Request messages with a malevolent payload, effectively serving as a means for attackers to remotely command compromised hosts within the GRX network. These commands can be executed on infected machines, and the results are transmitted back to the attackers via the same communication channel.

Security Officer Comments:
Notably, the GTPDOOR can covertly respond to external probing attempts by sending crafted TCP packets, indicating its presence and potentially revealing information about the host’s status. This behavior suggests that GTPDOOR is tailored to compromise hosts directly involved in the GRX network, which facilitates communication between different telecommunication operator networks.

Suggested Corrections:
Researchers recommend the following defense mitigations: