Researchers have discovered a new backdoor named GTPDOOR that targets telecommunication network systems within the closed GRX network, which connects multiple telecommunication network operators.
The GRX network is a closed network that connects individual network operators from various telecom companies.
Network elements like SGSN, GGSN, P-GW, STP, and DRA need direct connections to the GRX network to route roaming traffic, which typically uses the GTP-C protocol for communication.
GTPDOOR is designed to be stealthy and difficult to detect, as it leverages the GTP-C protocol , a legitimate protocol used for communication within mobile networks, to blend in with regular traffic.
It can also modify its process name to mimic legitimate system processes and enhance its ability to evade detection.
Double Agent has observed that GTPDOOR communicates with a command and control server using the GTP-C protocol, which allows GTPDOOR to receive commands from the attackers and send back any stolen data or other information.
I recently found two very interesting Linux binaries uploaded to Virustotal. I call this malware 'GTPDOOR'. GTPDOOR is a 'magic/wakeup' packet backdoor that uses a novel C2 transport protocol: GTP (GPRS Tunnelling Protocol), silently listening on the GRX network (1/n)
