Glutton: A New Modular PHP Backdoor

Cybersecurity researchers have discovered a new PHP-based malware framework named Glutton, which has been deployed in attacks targeting China, the United States, Cambodia, Pakistan, and South Africa. This backdoor, identified by QiAnXin XLab in April 2024, has been attributed with moderate confidence to the Chinese nation-state group Winnti (APT41).

Interestingly, Glutton operates on a dual front—targeting both enterprise systems and cybercrime operators themselves. Researchers described this tactic as “poisoning operations,” where cybercriminal tools are turned against their creators, exemplifying the phrase “no honor among thieves.”

Glutton’s Capabilities and Attack Chain

Glutton is a modular framework designed to infect PHP-based systems, harvest sensitive information, and deploy ELF backdoor components. Its infection chain begins with exploiting zero-day or N-day vulnerabilities and brute-forcing credentials. The attack then leverages several modules:

1. task_loader: Evaluates the environment and downloads components like init_task.
2. init_task: Deploys an ELF backdoor disguised as FastCGI Process Manager (/lib/php-fpm) and infects PHP files with malicious code.
3. client_loader: A refactored version of init_task, this module includes enhanced network infrastructure and modifies system files like /etc/init.d/network to ensure persistence.

The backdoor infects popular PHP frameworks like Baota (BT), ThinkPHP, Yii, and Laravel, and facilitates code injection, file modifications, and data theft.

Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Advanced Features and Unique Tactics

Glutton’s framework is built for stealth and flexibility. Its key features include:

• Command and Control (C2): Supports 22 unique commands for switching between TCP and UDP connections, launching shells, and executing PHP payloads.
• Stealthy Footprint: Executes all payloads within PHP or PHP-FPM processes, leaving no physical file traces on infected systems.
• Modular Payloads: Highly adaptable, capable of sequential or independent execution for extended attack capabilities.

Notably, Glutton operators also infiltrate cybercrime forums to advertise compromised enterprise hosts with backdoors like l0ader_shell, weaponizing cybercriminal infrastructure to expand their reach.

Unusual Characteristics of Glutton

Despite its links to Winnti (APT41), Glutton exhibits certain shortcomings atypical for the group:

• Unencrypted Communications: Uses HTTP instead of HTTPS for payload delivery.
• Lack of Obfuscation: The code is devoid of stealth techniques commonly seen in advanced malware.
• Subpar Operational Security: Samples suggest a lower sophistication than typically associated with APT41.

However, its similarity to Winnti’s PWNLNX tool and strategic focus on both white-hat and black-hat victims strongly aligns with their modus operandi.

Winnti’s Evolving Arsenal: From Glutton to Mélofée

The disclosure of Glutton follows XLab’s report on an updated APT41 malware variant called Mélofée, which incorporates an RC4-encrypted kernel driver for masking malicious activity. While Glutton primarily targets PHP-based systems, Mélofée is a Linux backdoor designed to execute stealthy commands and collect sensitive information.

With their combined functionality—spanning stealth, persistence, and exploitation of both enterprise and cybercriminal targets—APT41’s malware arsenal is evolving into a potent dual-threat.

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: thehackernews.com

Source Link