Security researchers say a newly discovered Linux malware dubbed GTPDOOR can establish command-and-control communications in compromised devices by leveraging the GPRS Tunnelling Protocol, The Hacker News reports.
The malware is designed to be deployed in telecommunications networks situated next to GPRS roaming exchanges, which transport the roaming traffic between the visited and the home Public Land Mobile Network using GTP. It allows a threat actor that has already established persistence on the roaming exchange network to send a GTP-C Echo Request message with a malicious payload to a compromised host to establish contact. This allows the transmission of commands to be executed on the compromised device and the return of results back to the remote host. A security researcher who found two GTPDOOR artifacts that had been uploaded to VirusTotal from China and Italy said there is likely a link between this backdoor and a threat actor being tracked as LightBasin or UNC1945, which was reportedly involved in a series of attacks that targeted the telecom sector.