GTPDOOR Linux Malware Exploiting GPRS Protocol For Stealthy C2 Communication

by Esmeralda McKenzie
GTPDOOR Linux Malware Exploiting GPRS Protocol For Stealthy C2 Communication

GTPDOOR Linux Malware Exploiting GPRS Protocol For Stealthy C2 Communication

GTPDOOR Linux Malware Exploiting GPRS Protocol For Stealthy C2 Verbal substitute

Threat actors exploit Linux malware as a result of the fresh exhaust of Linux servers in serious infrastructure and files superhighway files superhighway hosting.

Linux’s incidence makes it to take into accounta good making an are attempting target for cybercriminals in search of to compromise methods, rob files, or launch distributed denial-of-service (DDoS) assaults.

Cybersecurity researcher specialist in mobile security and IoT security study, HaxRob(@haxrob) lately chanced on GTPDOOR, a Linux malware that became once chanced on exploiting GPRS protocol for stealthy C2 communication.

GTPDOOR Linux Malware Exploiting GPRS Protocol

GTPDOOR targets telco networks come GRX, and it communicates C2 visitors by technique of GTP-C signaling by blending it with unparalleled visitors.

The beneath plan depicts a doable exhaust case the build actors exploit established persistence to safe admission to compromised hosts through GTP-C Echo Demand messages:-

Use%20of%20GTPDOOR%20(Source%20 %20Double%20Agent)
Utilize of GTPDOOR (Source – Double Agent)

GTPDOOR helps faraway code execution and would be beaconed by sending TCP packets to its host.

The beacon response hides particular files in a TCP header flag by bettering its stealth.

This malware has been named “GTPDOOR” for the utilization of a port-knocking approach comparable to BPFDOOR.

Unlike BPFDOOR, GTPDOOR makes exhaust of GTP-C echo search files from/response messages and filters on UDP and GTP header values.

It’s seemingly linked to UNC1945 / LightBasin, known for the utilization of GTP protocol to encapsulate tinyshell visitors.

GTPDOOR targets GTP-C signaling messages with its contain extended constructing.

Moreover this, the binaries be pleased the title “dnsd.c,” and a CrowdStrike presentation suggests the existence of a Solaris version.

dnsd%20Process%20(Source%20 %20Double%20Agent)
dnsd Assignment (Source – Double Agent)

A “closed” community hyperlinks world telecom operators for interconnectivity. Systems be pleased eDNS, SGSN, GGSN, P-GW, STP, and DRA require say GRX community safe admission to for roaming-related signaling and user plane visitors.

GTPDOOR may perhaps well exploit all these capabilities and build say entry correct into a telco’s core community. Doubtless targets consist of methods supporting GTP-C over GRX, be pleased:-

  • SGSN
  • GGSN
  • P-GW

Right here’s the visual presentation of the packet:-

Packet%20presentation%20(Source%20 %20Double%20Agent)
Packet presentation (Source – Double Agent)

The TCP probe feature enables external hosts to check GRX’s TCP packets.

A subnet filter compares the provision IP, and if there may perhaps be no match, then a acknowledge is distributed, which indicates that the implant is involving.

The beacon response is crafted the utilization of a raw socket by copying relevant IP and TCP header fields.

The patron distinguishes an open port by checking the pressing pointer flag within the TCP header.

Whereas no service needs to center of attention on the TCP beaconing port:-

TCP%20header%20(Source%20 %20Double%20Agent)
TCP header (Source – Double Agent)

Probe responses exhaust ACK/RST flags and pressing pointer flags for covert message encoding within the TCP header.

The ACL aim is unclear, with concerns be pleased warding off risk actor C2 infrastructure in reminiscence or specifying interior victim networks.

Nonetheless, any GRX host can scan operator IPs by sending the TCP SYN packets on non-unparalleled ports.

Options

Right here beneath now we have mentioned the final suggestions:-

  • Begin UDP port selectively on GRX for needed methods, with affirm firewall guidelines dropping packets for non-GTP protocol users.
  • Employ strict guidelines to dam unnecessary inbound TCP connections by technique of GRX.
  • Dangle into listing dropping TCP packets with the RST/ACK flag build on the GRX firewall as a precaution.

That you just may perhaps block malware, including Trojans, ransomware, adware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are incredibly foul, can wreak havoc, and hurt your community.

Dwell updated on Cybersecurity files, Whitepapers, and Infographics. Voice us on LinkedIn & Twitter.

Source credit : cybersecuritynews.com

Related Posts