Threat hunters have discovered a new Linux malware called GTPDOOR that's designed to be deployed in telecom networks that are adjacent to GPRS roaming exchanges (GRX)
威胁猎人发现了一种名为
The malware is novel in the fact that it leverages the GPRS Tunnelling Protocol (GTP) for command-and-control (C2) communications.
这种恶意软件的新颖之处在于利用GPRS隧道协议(GTP)进行命令和控制(C2)通信
GPRS roaming allows subscribers to access their GPRS services while they are beyond the reach of their home mobile network. This is facilitated by means of a GRX that transports the roaming traffic using GTP between the visited and the home Public Land Mobile Network (PLMN).
GPRS漫游允许用户在超出其家庭移动网络范围时访问其GPRS服务。这是通过使用GTP在访问网络和家庭公共陆地移动网络(PLMN)之间传输漫游流量的GRX来实现的
Security researcher haxrob, who discovered two GTPDOOR artifacts uploaded to VirusTotal from China and Italy, said the backdoor is likely linked to a known threat actor tracked as LightBasin (aka UNC1945), which was previously disclosed by CrowdStrike in October 2021 in connection with a series of attacks targeting the telecom sector to steal subscriber information and call metadata.
安全研究人员haxrob发现了两个从中国和意大利上传到VirusTotal的GTPDOOR工件,称这个后门可能与已知的威胁行为者LightBasin(又名UNC1945)有关
"When run, the first thing GTPDOOR does is process-name stomps itself – changing its process name to '[syslog]' – disguised as syslog invoked from the kernel," the researcher said. "It suppresses child signals and then opens a raw socket [that] will allow the implant to receive UDP messages that hit the network interfaces."
“运行时,GTPDOOR首先会处理名称自己 - 将其进程名称更改为'[syslog]' - 伪装成从内核调用的syslog”,研究人员说。
Put differently, GTPDOOR allows a threat actor that already has established persistence on the roaming exchange network to contact a compromised host by sending GTP-C Echo Request messages with a malicious payload.
换句话说,GTPDOOR允许已在漫游交换网络上建立了持久性的威胁行为者通过发送带有恶意载荷的GTP-C回显请求消息来联系受感染的主机
This magic GTP-C Echo Request message acts as a conduit to transmit a command to be executed on the infected machine and return the results back to the remote host.
这个神奇的GTP-C回显请求消息充当传输命令以在受感染机器上执行的通道,并将结果返回给远程主机
GTPDOOR "Can be covertly probed from an external network to elicit a response by sending a TCP packet to any port number," the researcher noted. "If the implant is active a crafted empty TCP packet is returned along with information if the destination port was open/responding on the host."
“这个植入物看起来是设计用来放置在直接接触GRX网络的受感染主机上 - 这些系统通过GRX与其他电信运营商网络通信”
"This implant looks like it is designed to sit on compromised hosts that directly touch the GRX network – these are the systems that communicate to other telecommunication operator networks via the GRX."
原文始发于微信公众号(知机安全):GTPDOOR:针对电信公司的新型Linux恶意软件
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论