Cybersecurity researchers have found a brand new PHP-based backdoor known as Glutton that has been put to make use of in cyber assaults focusing on China, the USA, Cambodia, Pakistan, and South Africa.
QiAnXin XLab, which found the malicious exercise in late April 2024, attributed the beforehand unknown malware with average confidence to the prolific Chinese language nation-state group tracked Winnti (aka APT41).
“Apparently, our investigation revealed that Glutton’s creators intentionally focused programs inside the cybercrime market,” the corporate stated. “By poisoning operations, they aimed to show the instruments of cybercriminals towards them – a traditional ‘no honor amongst thieves’ state of affairs.”
Glutton is designed to reap delicate system data, drop an ELF backdoor element, and carry out code injection towards common PHP frameworks like Baota (BT), ThinkPHP, Yii, and Laravel. The ELF malware additionally shares “near-complete similarity” with a identified Winnti instrument known as PWNLNX.
Regardless of the hyperlinks to Winnti, XLab stated it can not positively hyperlink the backdoor to the adversary owing to the dearth of stealth strategies usually related to the group. The cybersecurity firm described the shortcomings as “uncharacteristically subpar.”
This contains the dearth of encrypted command-and-control (C2) communications, using HTTP (as a substitute of HTTPS) for downloading the payloads, and the truth that the samples are devoid of any obfuscation.
At its coronary heart, Glutton is a modular malware framework able to infecting PHP information heading in the right direction units, in addition to plant backdoors. It is believed that preliminary entry is achieved by way of the exploitation of zero-day and N-day flaws and brute-force assaults.
One other unconventional method entails promoting on cybercrime boards compromised enterprise hosts containing l0ader_shell, a backdoor injected into PHP information, successfully permitting the operators to mount assaults on different cybercriminals.
The first module that allows the assault is “task_loader,” which is used to evaluate the execution setting and fetch extra elements, together with “init_task,” which is chargeable for downloading an ELF-based backdoor that masquerades because the FastCGI Course of Supervisor (“/lib/php-fpm”), infecting PHP information with malicious code for additional payload execution, and accumulating delicate data and modifying system information.
The assault chain additionally features a module named “client_loader,” a refactored model of “init_task,” that makes use of an up to date community infrastructure and incorporates the flexibility to obtain and execute a backdoored consumer. It modifies programs information like “/and so on/init.d/community” to determine persistence.
The PHP backdoor is a fully-featured backdoor that helps 22 distinctive instructions that permit it to modify C2 connections between TCP and UDP, launch a shell, obtain/add information, carry out file and listing operations, and run arbitrary PHP code. As well as, the framework makes it doable to fetch and run extra PHP payloads by periodically polling the C2 server.
“These payloads are extremely modular, able to functioning independently or being executed sequentially by way of task_loader to kind a complete assault framework,” XLab stated. “All code execution happens inside PHP or PHP-FPM (FastCGI) processes, guaranteeing no file payloads are left behind, thus attaining a stealthy footprint.”
One different notable facet is using the HackBrowserData instrument on programs utilized by cybercrime operators to steal delicate data with a possible objective to tell future phishing or social engineering campaigns.
“Along with focusing on conventional ‘whitehat’ victims by means of cybercrime, Glutton demonstrates a strategic give attention to exploiting cybercrime assets operators,” XLab stated. “This creates a recursive assault chain, leveraging the attackers’ personal actions towards them.”
The disclosure comes weeks after the Beijing-headquartered agency detailed an up to date model of the APT41 malware known as Mélofée that provides improved persistence mechanisms and “embeds an RC4-encrypted kernel driver to masks traces of information, processes, and community connections.”
As soon as put in, the Linux backdoor is provided to speak with a C2 server to obtain and execute varied instructions, together with accumulating machine and course of data, launching shell, managing processes, finishing up file and listing operations, and uninstalling itself.
“Mélofée provides easy performance with extremely efficient stealth capabilities,” it stated. “Samples of this malware household are uncommon, suggesting that attackers might restrict its use to high-value targets.”
