Linux Malware GTPDOOR Exploits GPRS Roaming Networks to Target Telecom Companies


Security analysts have uncovered a fresh Linux malware named GTPDOOR, intended for deployment within telecom networks adjacent to GPRS roaming exchanges (GRX). What distinguishes this malware is its utilization of the GPRS Tunnelling Protocol (GTP) for commanding and controlling operations.
GPRS roaming enables subscribers to access their services even outside their home mobile network’s coverage area. This is facilitated through a GRX, which facilitates roaming traffic via GTP between the visited and home Public Land Mobile Networks (PLMN). 
Security expert haxrob, who stumbled upon two GTPDOOR artifacts uploaded to VirusTotal originating from China and Italy, suggests that this backdoor is likely linked to a known threat actor identified as LightBasin (also known as UNC1945). 
CrowdStrike previously disclosed this actor in October 2021 for a series of attacks targeting the telecom sector to pilfer subscriber data and call metadata.
Upon execution, GTPDOOR initially alters its process name to ‘[syslog]’, mimicking syslog invoked from the kernel, and opens a raw socket to enable the implant to receive UDP messages through the network interfaces. E
Essentially, GTPDOOR enables a threat actor with established persistence on the roaming exchange network t

Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents

Read the original article: