Security analysts have uncovered a fresh Linux malware named GTPDOOR, intended for deployment within telecom networks adjacent to GPRS roaming exchanges (GRX). What distinguishes this malware is its utilization of the GPRS Tunnelling Protocol (GTP) for commanding and controlling operations.

GPRS roaming enables subscribers to access their services even outside their home mobile network's coverage area. This is facilitated through a GRX, which facilitates roaming traffic via GTP between the visited and home Public Land Mobile Networks (PLMN). 

Security expert haxrob, who stumbled upon two GTPDOOR artifacts uploaded to VirusTotal originating from China and Italy, suggests that this backdoor is likely linked to a known threat actor identified as LightBasin (also known as UNC1945). 

CrowdStrike previously disclosed this actor in October 2021 for a series of attacks targeting the telecom sector to pilfer subscriber data and call metadata.

Upon execution, GTPDOOR initially alters its process name to '[syslog]', mimicking syslog invoked from the kernel, and opens a raw socket to enable the implant to receive UDP messages through the network interfaces. E

Essentially, GTPDOOR enables a threat actor with established persistence on the roaming exchange network to communicate with a compromised host by dispatching GTP-C Echo Request messages carrying a malicious payload.

These GTP-C Echo Request messages serve as a conduit for transmitting commands to execute on the infected system and relaying results back to the remote host. Furthermore, GTPDOOR can be discreetly probed from an external network by sending a TCP packet to any port number. If the implant is active, it returns a crafted empty TCP packet along with information on whether the destination port was open or responsive on the host.

According to the researcher, GTPDOOR appears tailored to reside on compromised hosts directly linked to the GRX network, which are the systems communicating with other telecommunication operator networks via GRX.