Checking if we catch latest GTPDOOR malware #1100
gustavo-iniguez-goya
started this conversation in
Show and tell
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Recently , a new analysis of a Linux malware has been published on several news sites, named GTPDOOR:
https://doubleagent.net/telecommunications/backdoor/gtp/2024/02/27/GTPDOOR-COVERT-TELCO-BACKDOOR
It caught my attention, because unlike many other Linux malware, this one uses RAW sockets and some interesting techniques to accept connections/commands from a remote attacker (typically seen in some advanced rootkits). So I checked if OpenSnitch was able to block the outbound connections of this malware, disrupting the comms with the C&C server:
poc.mp4
The malware doesn't use advanced techniques to hide itself in the system, so we're able to detect and report the activity of it.
Also, as mentioned in the analysis report, changing the FW inbound policy to Deny prevents it from functioning as expected, blocking inbound connections from a remote attacker.
Beta Was this translation helpful? Give feedback.
All reactions