Cybersecurity researchers have found a brand new PHP-based backdoor known as Glutton that has been put to make use of in cyber assaults concentrating on China, the US, Cambodia, Pakistan, and South Africa.
QiAnXin XLab, which found the malicious exercise in late April 2024, attributed the beforehand unknown malware with average confidence to the prolific Chinese language nation-state group tracked Winnti (aka APT41).
“Interestingly, our investigation revealed that Glutton’s creators deliberately targeted systems within the cybercrime market,” the corporate mentioned. “By poisoning operations, they aimed to turn the tools of cybercriminals against them – a classic ‘no honor among thieves’ scenario.”
Glutton is designed to reap delicate system data, drop an ELF backdoor element, and carry out code injection towards widespread PHP frameworks like Baota (BT), ThinkPHP, Yii, and Laravel. The ELF malware additionally shares “near-complete similarity” with a identified Winnti device known as PWNLNX.
Regardless of the hyperlinks to Winnti, XLab mentioned it can’t undoubtedly hyperlink the backdoor to the adversary owing to the shortage of stealth methods sometimes related to the group. The cybersecurity firm described the shortcomings as “uncharacteristically subpar.”
This consists of the shortage of encrypted command-and-control (C2) communications, using HTTP (as a substitute of HTTPS) for downloading the payloads, and the truth that the samples are devoid of any obfuscation.
At its coronary heart, Glutton is a modular malware framework able to infecting PHP information on the right track gadgets, in addition to plant backdoors. It is believed that preliminary entry is achieved through the exploitation of zero-day and N-day flaws and brute-force assaults.
One other unconventional method entails promoting on cybercrime boards compromised enterprise hosts containing l0ader_shell, a backdoor injected into PHP information, successfully permitting the operators to mount assaults on different cybercriminals.
The first module that allows the assault is “task_loader,” which is used to evaluate the execution surroundings and fetch further elements, together with “init_task,” which is answerable for downloading an ELF-based backdoor that masquerades because the FastCGI Course of Supervisor (“/lib/php-fpm”), infecting PHP information with malicious code for additional payload execution, and amassing delicate data and modifying system information.
The assault chain additionally features a module named “client_loader,” a refactored model of “init_task,” that makes use of an up to date community infrastructure and incorporates the flexibility to obtain and execute a backdoored shopper. It modifies techniques information like “/etc/init.d/network” to determine persistence.
The PHP backdoor is a fully-featured backdoor that helps 22 distinctive instructions that permit it to modify C2 connections between TCP and UDP, launch a shell, obtain/add information, carry out file and listing operations, and run arbitrary PHP code. As well as, the framework makes it doable to fetch and run extra PHP payloads by periodically polling the C2 server.
“These payloads are highly modular, capable of functioning independently or being executed sequentially via task_loader to form a comprehensive attack framework,” XLab mentioned. “All code execution occurs within PHP or PHP-FPM (FastCGI) processes, ensuring no file payloads are left behind, thus achieving a stealthy footprint.”
One different notable facet is using the HackBrowserData device on techniques utilized by cybercrime operators to steal delicate data with a possible purpose to tell future phishing or social engineering campaigns.
“In addition to targeting traditional ‘whitehat’ victims through cybercrime, Glutton demonstrates a strategic focus on exploiting cybercrime resources operators,” XLab mentioned. “This creates a recursive attack chain, leveraging the attackers’ own activities against them.”
The disclosure comes weeks after the Beijing-headquartered agency detailed an up to date model of the APT41 malware known as Mélofée that provides improved persistence mechanisms and “embeds an RC4-encrypted kernel driver to mask traces of files, processes, and network connections.”
As soon as put in, the Linux backdoor is supplied to speak with a C2 server to obtain and execute numerous instructions, together with amassing machine and course of data, launching shell, managing processes, finishing up file and listing operations, and uninstalling itself.
“Mélofée offers straightforward functionality with highly effective stealth capabilities,” it mentioned. “Samples of this malware family are rare, suggesting that attackers may limit its use to high-value targets.”
