Cybersecurity researchers have found a brand new PHP-based backdoor known as Glutton that has been put to make use of in cyber assaults concentrating on China, the US, Cambodia, Pakistan, and South Africa.
QiAnXin XLab, which found the malicious exercise in late April 2024, attributed the beforehand unknown malware with average confidence to the prolific Chinese language nation-state group tracked Winnti (aka APT41).
“Apparently, our investigation revealed that Glutton’s creators intentionally focused techniques throughout the cybercrime market,” the corporate mentioned. “By poisoning operations, they aimed to show the instruments of cybercriminals in opposition to them – a traditional ‘no honor amongst thieves’ situation.”
Glutton is designed to reap delicate system info, drop an ELF backdoor element, and carry out code injection in opposition to fashionable PHP frameworks like Baota (BT), ThinkPHP, Yii, and Laravel. The ELF malware additionally shares “near-complete similarity” with a recognized Winnti device referred to as PWNLNX.
Regardless of the hyperlinks to Winnti, XLab mentioned it can not positively hyperlink the backdoor to the adversary owing to the dearth of stealth strategies usually related to the group. The cybersecurity firm described the shortcomings as “uncharacteristically subpar.”
This consists of the dearth of encrypted command-and-control (C2) communications, using HTTP (as an alternative of HTTPS) for downloading the payloads, and the truth that the samples are devoid of any obfuscation.
At its coronary heart, Glutton is a modular malware framework able to infecting PHP information on track gadgets, in addition to plant backdoors. It is believed that preliminary entry is achieved by way of the exploitation of zero-day and N-day flaws and brute-force assaults.
One other unconventional method includes promoting on cybercrime boards compromised enterprise hosts containing l0ader_shell, a backdoor injected into PHP information, successfully permitting the operators to mount assaults on different cybercriminals.
The first module that permits the assault is “task_loader,” which is used to evaluate the execution setting and fetch extra parts, together with “init_task,” which is accountable for downloading an ELF-based backdoor that masquerades because the FastCGI Course of Supervisor (“/lib/php-fpm”), infecting PHP information with malicious code for additional payload execution, and gathering delicate info and modifying system information.
The assault chain additionally features a module named “client_loader,” a refactored model of “init_task,” that makes use of an up to date community infrastructure and incorporates the power to obtain and execute a backdoored consumer. It modifies techniques information like “/and many others/init.d/community” to determine persistence.
The PHP backdoor is a fully-featured backdoor that helps 22 distinctive instructions that enable it to modify C2 connections between TCP and UDP, launch a shell, obtain/add information, carry out file and listing operations, and run arbitrary PHP code. As well as, the framework makes it attainable to fetch and run extra PHP payloads by periodically polling the C2 server.
“These payloads are extremely modular, able to functioning independently or being executed sequentially by way of task_loader to type a complete assault framework,” XLab mentioned. “All code execution happens inside PHP or PHP-FPM (FastCGI) processes, making certain no file payloads are left behind, thus reaching a stealthy footprint.”
One different notable facet is using the HackBrowserData device on techniques utilized by cybercrime operators to steal delicate info with a probable objective to tell future phishing or social engineering campaigns.
“Along with concentrating on conventional ‘whitehat’ victims by cybercrime, Glutton demonstrates a strategic concentrate on exploiting cybercrime assets operators,” XLab mentioned. “This creates a recursive assault chain, leveraging the attackers’ personal actions in opposition to them.”
The disclosure comes weeks after XLab detailed an up to date model of the APT41 malware known as Mélofée that provides improved persistence mechanisms and “embeds an RC4-encrypted kernel driver to masks traces of information, processes, and community connections.”
As soon as put in, the Linux backdoor is supplied to speak with a C2 server to obtain and execute numerous instructions, together with gathering machine and course of info, launching shell, managing processes, finishing up file and listing operations, and uninstalling itself.
“Mélofée provides easy performance with extremely efficient stealth capabilities,” it mentioned. “Samples of this malware household are uncommon, suggesting that attackers might restrict its use to high-value targets.”