The vulnerability in the GTP protocol has become a new profitable loophole for the LightBasin group.
Researchers have announced a new threat — the GTPDOOR malware, which targets telecommunications networks. This clever Linux Trojan exploits vulnerabilities in the GPRS protocol to covertly control infected devices. According to experts, the malware is linked to the well-known hacker group LightBasin, which has previously attacked companies in the telecom sector.
GTPDOOR allows attackers to secretly steal confidential subscriber data and call metadata. The Trojan is unique because it uses the GTP protocol to communicate with command servers and control infected devices.
GPRS roaming allows subscribers to use mobile Internet when traveling abroad. This service is implemented thanks to GRX switching centers that transfer traffic between roaming networks of different operators via GTP. Protocol vulnerabilities cause damage to both users and providers.
Cybersecurity specialist haxrob found two instances of GTPDOOR uploaded to VirusTotal from China and Italy. The fact that the backdoor is most likely connected with the LightBasin group, he also said.
About the activities of this gang previously told the company CrowdStrike. Attackers used flaws in the GTP protocol and GPRS roaming to spy on and steal user data.
Once started, GTPDOOR disguises itself as a syslog system process called by the kernel. It blocks signals from other processes and opens a raw socket to receive network packets over the UDP protocol.
GTPDOOR allows an attacker who has already gained access to the GRX network to contact an infected host by sending special GTP-C Echo Request packets with a malicious payload. These packets serve as a channel for transmitting commands for execution and returning results to the remote host.
GTPDOOR can collect information about infected systems without being noticed. To do this, the Trojan responds to special requests from the external network. Hackers send TCP packets to different ports on the victim's computer and analyze the responses. They can tell which ports are open and which are closed by using empty responses.
In this way, attackers can identify active network services and services on infected machines. This allows them to gain valuable intelligence before further attacks. According to experts, GTPDOOR is aimed at servers of telecom operators that are directly connected to the core of the GPRS network. Infection of these critical systems can lead to large-scale leaks and malfunctions.
Researchers have announced a new threat — the GTPDOOR malware, which targets telecommunications networks. This clever Linux Trojan exploits vulnerabilities in the GPRS protocol to covertly control infected devices. According to experts, the malware is linked to the well-known hacker group LightBasin, which has previously attacked companies in the telecom sector.
GTPDOOR allows attackers to secretly steal confidential subscriber data and call metadata. The Trojan is unique because it uses the GTP protocol to communicate with command servers and control infected devices.
GPRS roaming allows subscribers to use mobile Internet when traveling abroad. This service is implemented thanks to GRX switching centers that transfer traffic between roaming networks of different operators via GTP. Protocol vulnerabilities cause damage to both users and providers.
Cybersecurity specialist haxrob found two instances of GTPDOOR uploaded to VirusTotal from China and Italy. The fact that the backdoor is most likely connected with the LightBasin group, he also said.
About the activities of this gang previously told the company CrowdStrike. Attackers used flaws in the GTP protocol and GPRS roaming to spy on and steal user data.
Once started, GTPDOOR disguises itself as a syslog system process called by the kernel. It blocks signals from other processes and opens a raw socket to receive network packets over the UDP protocol.
GTPDOOR allows an attacker who has already gained access to the GRX network to contact an infected host by sending special GTP-C Echo Request packets with a malicious payload. These packets serve as a channel for transmitting commands for execution and returning results to the remote host.
GTPDOOR can collect information about infected systems without being noticed. To do this, the Trojan responds to special requests from the external network. Hackers send TCP packets to different ports on the victim's computer and analyze the responses. They can tell which ports are open and which are closed by using empty responses.
In this way, attackers can identify active network services and services on infected machines. This allows them to gain valuable intelligence before further attacks. According to experts, GTPDOOR is aimed at servers of telecom operators that are directly connected to the core of the GPRS network. Infection of these critical systems can lead to large-scale leaks and malfunctions.
