GTPDOOR: A Hit Telecom Networks by Previously Unknown Linux Malware

GTPDOOR is a new backdoor that researchers have found that targets communication network systems inside the closed GRX network, which links several communication network operators.

The GRX network links separate network operators from different telecom firms in a closed network environment. Roaming traffic. It usually communicates using the GTP-C protocol. Also, it must be routed via direct connections to the GRX network for network elements like SGSN, GGSN, P-GW, etc.

As it blends in with normal traffic using the GTP-C protocol—a valid protocol for mobile network communication—GTPDOOR is intended to be undetectable and difficult to spot. To better avoid detection, it might also change the name of the process it uses to imitate other valid system processes.

Double Agent has noticed that GTPDOOR uses the GTP-C protocol to connect with a command and control server. This allows GTPDOOR to receive instructions from the attackers and relay back any information that has been stolen.

Threat Intelligence Lookup, which allows you to interact with the operating system directly from the browser, and the ANY.RUN malware sandbox allows you to investigate GTPDOOR malware file, network, module, and registry behavior.

Examining the Features and Versions of GTPDOOR:

Targeting telecom networks, GTPDOOR is a Linux malware that wakes up infected systems, receives commands, executes them, and reports back results via "magic" packets (GTP-C echo requests).

It can be remotely probed, have its process name modified to avoid discovery, support key changes, and be authenticated via XOR encryption. This malware blends in with legitimate network traffic by using well-known protocols and ports, making it difficult to detect.

Two malware samples that were directed towards an antiquated Linux system were pickup (improved version) and dbus-echo. They were submitted to VirusTotal in late 2023, and their source code indicates that the attacker needed to maintain them better.

Novel GTPDOOR Operations:

For covert communication, GTPDOOR uses GTP Echo Request messages. It listens on port 2123 for UDP packets, authenticates messages using a hardcoded key, and decrypts the payload. The action is determined by the type of message:

  1. 0x03, 0x04, 0x08-0xFF: Execute a shell command and return the output.
  2. 0x05: Add an IP address/subnet to the Access Control List (ACL).
  3. 0x06: Get the current ACL.
  4. 0x07: Clear the ACL.

Version 2 Adds:

  1. Using several threads to manage TCP and GTP communication.
  2. To perform a liveness check, particular flags are sent in response to any TCP message.
  3. Using open() to fork a process to execute commands remotely.

GTPDOOR v1 Provides a Range of Operations to Perform on Breached Hosts:

  1. Create a new encryption key for communication between C2 units.
  2. Store customized data in a file named “system.conf” on your local computer.
  3. Execute any shell commands and provide the output.

Beyond the Operations Listed Above, GTPDOOR v2 Incorporates Additional Operations:

  1. Could you please supply the IP addresses or subnets that are allowed to use an Access Control List (ACL) method to interact with the hacked host?
  2. Check the ACL list to adjust the network permissions of the backdoor as necessary.
  3. Disable ACL to get rid of the virus.

Defense and Detection:

System administrators can use programs like “lsof” and “netstat” to list raw sockets and search for unusual entries.

Broken GTP packets are handled by the GTPDOOR. The GTP protocol type of the custom client is set to 0 (GTP prime – charge related) in the following test. GTP-C is superior to GTP-‘. The extension header is also corrupt. The encrypted GTPDOOR payload is part of the GTP communication. Firewalls with GTP capability can recognize and block unusual traffic.

A GTPDOOR infection may also be brought on by processes having unusual parent IDs or by the existence of particular files like “/var/run/” and “system.conf.”


Due to the way malware treats GTP packets incorrectly, network traffic analysis can also identify malware. Firewalls ought to be set up to reject incoming packets on GTPDOOR-used ports and to deny TCP connections that are not necessary for the network. Two pertinent defensive recommendations have been provided by GSMA.

With Perimeter81 malware protection, you can stop malware such as Trojan horses, ransomware, spyware, rootkits, worms, and zero-day exploits. They're all extremely dangerous and capable of causing chaos and destruction to your network.