SYMBOLCOMMON_NAMEaka. SYNONYMS
win.gtpdoor (Back to overview)

GTPDOOR

Actor(s): LightBasin

VTCollection    

According to haxrob, GTPDOOR is the name of Linux based malware that is intended to be deployed on systems in telco networks adjacent to the GRX (GRPS eXchange Network) with the novel feature of communicating C2 traffic over GTP-C (GPRS Tunnelling Protocol - Control Plane) signalling messages. This allows the C2 traffic to blend in with normal traffic and to reuse already permitted ports that maybe open and exposed to the GRX network.

References
2024-02-28Twitter (@haxrob)haxrob
Tweet series regarding GTPDOOR
GTPDOOR
2024-02-27Doubleagent.nethaxrob
GTPDOOR - A novel backdoor tailored for covert access over the roaming exchange
GTPDOOR
Yara Rules
[TLP:WHITE] win_gtpdoor_auto (20260504 | Detects win.gtpdoor.)
rule win_gtpdoor_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.gtpdoor."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.gtpdoor"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { fc b932000000 b800000000 f3aa }
            // n = 4, score = 200
            //   fc                   | cld                 
            //   b932000000           | mov                 ecx, 0x32
            //   b800000000           | mov                 eax, 0
            //   f3aa                 | rep stosb           byte ptr es:[edi], al

        $sequence_1 = { 31d0 8801 8045fb01 8345fc01 }
            // n = 4, score = 200
            //   31d0                 | xor                 eax, edx
            //   8801                 | mov                 byte ptr [ecx], al
            //   8045fb01             | add                 byte ptr [ebp - 5], 1
            //   8345fc01             | add                 dword ptr [ebp - 4], 1

        $sequence_2 = { 750f 837dec00 755a c745f001000000 eb51 }
            // n = 5, score = 100
            //   750f                 | jne                 0x11
            //   837dec00             | cmp                 dword ptr [ebp - 0x14], 0
            //   755a                 | jne                 0x5c
            //   c745f001000000       | mov                 dword ptr [ebp - 0x10], 1
            //   eb51                 | jmp                 0x53

        $sequence_3 = { 488b45f8 48c1e810 480145f8 488b45f8 f7d0 0fb7c0 c9 }
            // n = 7, score = 100
            //   488b45f8             | dec                 eax
            //   48c1e810             | mov                 eax, dword ptr [ebp - 8]
            //   480145f8             | dec                 eax
            //   488b45f8             | shr                 eax, 0x10
            //   f7d0                 | dec                 eax
            //   0fb7c0               | add                 dword ptr [ebp - 8], eax
            //   c9                   | dec                 eax

        $sequence_4 = { 488b7df0 4883c70c be01000000 e8???????? 488b45f0 0fb7400a }
            // n = 6, score = 100
            //   488b7df0             | mov                 eax, 0
            //   4883c70c             | movzx               edi, ax
            //   be01000000           | mov                 edx, eax
            //   e8????????           |                     
            //   488b45f0             | dec                 eax
            //   0fb7400a             | mov                 eax, dword ptr [ebp - 0x10]

        $sequence_5 = { b800000000 fc 8b7dd4 f2ae 89c8 }
            // n = 5, score = 100
            //   b800000000           | mov                 eax, 0
            //   fc                   | cld                 
            //   8b7dd4               | mov                 edi, dword ptr [ebp - 0x2c]
            //   f2ae                 | repne scasb         al, byte ptr es:[edi]
            //   89c8                 | mov                 eax, ecx

        $sequence_6 = { 0fb7f8 e8???????? 89c2 488b45f0 66895001 488b45d8 0fb74004 }
            // n = 7, score = 100
            //   0fb7f8               | dec                 eax
            //   e8????????           |                     
            //   89c2                 | mov                 eax, dword ptr [ebp - 0x20]
            //   488b45f0             | dec                 eax
            //   66895001             | mov                 ecx, 0xffffffff
            //   488b45d8             | dec                 eax
            //   0fb74004             | mov                 dword ptr [ebp - 0x40], eax

        $sequence_7 = { 488b45e0 48c7c1ffffffff 488945c0 b800000000 }
            // n = 4, score = 100
            //   488b45e0             | mov                 eax, dword ptr [ebp - 8]
            //   48c7c1ffffffff       | not                 eax
            //   488945c0             | movzx               eax, ax
            //   b800000000           | leave               

        $sequence_8 = { 48c7c1ffffffff 488985a8f1ffff b800000000 fc }
            // n = 4, score = 100
            //   48c7c1ffffffff       | mov                 word ptr [eax + 1], dx
            //   488985a8f1ffff       | dec                 eax
            //   b800000000           | mov                 eax, dword ptr [ebp - 0x28]
            //   fc                   | movzx               eax, word ptr [eax + 4]

        $sequence_9 = { 8945e8 8b45e8 83c434 5f 5d c3 }
            // n = 6, score = 100
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   83c434               | add                 esp, 0x34
            //   5f                   | pop                 edi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 

        $sequence_10 = { 8b45e0 0fb74002 668945e6 8b45e0 0fb710 8b45e0 66895002 }
            // n = 7, score = 100
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   0fb74002             | movzx               eax, word ptr [eax + 2]
            //   668945e6             | mov                 word ptr [ebp - 0x1a], ax
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   0fb710               | movzx               edx, word ptr [eax]
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   66895002             | mov                 word ptr [eax + 2], dx

        $sequence_11 = { e8???????? 66c78580feffff0200 8b4508 8b400c }
            // n = 4, score = 100
            //   e8????????           |                     
            //   66c78580feffff0200     | mov    word ptr [ebp - 0x180], 2
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b400c               | mov                 eax, dword ptr [eax + 0xc]

        $sequence_12 = { 8d850afaffff 01d0 8b5514 89c7 89d6 }
            // n = 5, score = 100
            //   8d850afaffff         | lea                 eax, [ebp - 0x5f6]
            //   01d0                 | add                 eax, edx
            //   8b5514               | mov                 edx, dword ptr [ebp + 0x14]
            //   89c7                 | mov                 edi, eax
            //   89d6                 | mov                 esi, edx

        $sequence_13 = { 55 4889e5 4881ec60060000 89bdccf9ffff 4889b5c0f9ffff 48898db0f9ffff 4489c0 }
            // n = 7, score = 100
            //   55                   | dec                 eax
            //   4889e5               | mov                 edi, dword ptr [ebp - 0x10]
            //   4881ec60060000       | dec                 eax
            //   89bdccf9ffff         | add                 edi, 0xc
            //   4889b5c0f9ffff       | mov                 esi, 1
            //   48898db0f9ffff       | dec                 eax
            //   4489c0               | mov                 eax, dword ptr [ebp - 0x10]

    condition:
        7 of them and filesize < 4210688
}
Download all Yara Rules