Cybersecurity researchers have found a brand new PHP-based backdoor referred to as Glutton that has been put to make use of in cyber assaults focusing on China, america, Cambodia, Pakistan, and South Africa.
QiAnXin XLab, which found the malicious exercise in late April 2024, attributed the beforehand unknown malware with reasonable confidence to the prolific Chinese language nation-state group tracked Winnti (aka APT41).
“Curiously, our investigation revealed that Glutton’s creators intentionally focused programs throughout the cybercrime market,” the corporate stated. “By poisoning operations, they aimed to show the instruments of cybercriminals towards them – a traditional ‘no honor amongst thieves’ state of affairs.”
Glutton is designed to reap delicate system data, drop an ELF backdoor element, and carry out code injection towards widespread PHP frameworks like Baota (BT), ThinkPHP, Yii, and Laravel. The ELF malware additionally shares “near-complete similarity” with a recognized Winnti device referred to as PWNLNX.
Regardless of the hyperlinks to Winnti, XLab stated it can not positively hyperlink the backdoor to the adversary owing to the dearth of stealth strategies usually related to the group. The cybersecurity firm described the shortcomings as “uncharacteristically subpar.”
This contains the dearth of encrypted command-and-control (C2) communications, the usage of HTTP (as a substitute of HTTPS) for downloading the payloads, and the truth that the samples are devoid of any obfuscation.
At its coronary heart, Glutton is a modular malware framework able to infecting PHP information heading in the right direction gadgets, in addition to plant backdoors. It is believed that preliminary entry is achieved through the exploitation of zero-day and N-day flaws and brute-force assaults.
One other unconventional method includes promoting on cybercrime boards compromised enterprise hosts containing l0ader_shell, a backdoor injected into PHP information, successfully permitting the operators to mount assaults on different cybercriminals.
The first module that allows the assault is “task_loader,” which is used to evaluate the execution setting and fetch extra elements, together with “init_task,” which is accountable for downloading an ELF-based backdoor that masquerades because the FastCGI Course of Supervisor (“/lib/php-fpm”), infecting PHP information with malicious code for additional payload execution, and amassing delicate data and modifying system information.
The assault chain additionally features a module named “client_loader,” a refactored model of “init_task,” that makes use of an up to date community infrastructure and incorporates the flexibility to obtain and execute a backdoored consumer. It modifies programs information like “/and so on/init.d/community” to determine persistence.
The PHP backdoor is a fully-featured backdoor that helps 22 distinctive instructions that enable it to modify C2 connections between TCP and UDP, launch a shell, obtain/add information, carry out file and listing operations, and run arbitrary PHP code. As well as, the framework makes it doable to fetch and run extra PHP payloads by periodically polling the C2 server.
“These payloads are extremely modular, able to functioning independently or being executed sequentially through task_loader to type a complete assault framework,” XLab stated. “All code execution happens inside PHP or PHP-FPM (FastCGI) processes, guaranteeing no file payloads are left behind, thus reaching a stealthy footprint.”
One different notable facet is the usage of the HackBrowserData device on programs utilized by cybercrime operators to steal delicate data with a possible aim to tell future phishing or social engineering campaigns.
“Along with focusing on conventional ‘whitehat’ victims via cybercrime, Glutton demonstrates a strategic deal with exploiting cybercrime assets operators,” XLab stated. “This creates a recursive assault chain, leveraging the attackers’ personal actions towards them.”
The disclosure comes weeks after XLab detailed an up to date model of the APT41 malware referred to as Mélofée that provides improved persistence mechanisms and “embeds an RC4-encrypted kernel driver to masks traces of information, processes, and community connections.”
As soon as put in, the Linux backdoor is provided to speak with a C2 server to obtain and execute varied instructions, together with amassing gadget and course of data, launching shell, managing processes, finishing up file and listing operations, and uninstalling itself.
“Mélofée affords easy performance with extremely efficient stealth capabilities,” it stated. “Samples of this malware household are uncommon, suggesting that attackers might restrict its use to high-value targets.”
