Cybersecurity researchers have discovered a new PHP-based backdoor called Glutton that has been put to use in cyber attacks targeting China, the United States, Cambodia, Pakistan, and South Africa.
QiAnXin XLab, which discovered the malicious activity in late April 2024, attributed the previously unknown malware with moderate confidence to the prolific Chinese nation-state group tracked Winnti (aka APT41).
“Interestingly, our investigation revealed that Glutton’s creators deliberately targeted systems within the cybercrime market,” the company said. “By poisoning operations, they aimed to turn the tools of cybercriminals against them – a classic ‘no honor among thieves’ scenario.”
Glutton is designed to harvest sensitive system information, drop an ELF backdoor component, and perform code injection against popular PHP frameworks like Baota (BT), ThinkPHP, Yii, and Laravel. The ELF malware also shares “near-complete similarity” with a known Winnti tool referred to as PWNLNX.
Despite the links to Winnti, XLab said it cannot definitely link the backdoor to the adversary owing to the lack of stealth techniques typically associated with the group. The cybersecurity company described the shortcomings as “uncharacteristically subpar.”
This includes the lack of encrypted command-and-control (C2) communications, the use of HTTP (instead of HTTPS) for downloading the payloads, and the fact that the samples are devoid of any obfuscation.
At its heart, Glutton is a modular malware framework capable of infecting PHP files on target devices, as well as plant backdoors. It’s believed that initial access is achieved via the exploitation of zero-day and N-day flaws and brute-force attacks.
Another unconventional approach involves advertising on cybercrime forums compromised enterprise hosts containing l0ader_shell, a backdoor injected into PHP files, effectively allowing the operators to mount attacks on other cybercriminals.
The primary module that enables the attack is “task_loader,” which is used to assess the execution environment and fetch additional components, including “init_task,” which is responsible for downloading an ELF-based backdoor that masquerades as the FastCGI Process Manager (“/lib/php-fpm”), infecting PHP files with malicious code for further payload execution, and collecting sensitive information and modifying system files.
The attack chain also includes a module named “client_loader,” a refactored version of “init_task,” that makes use of an updated network infrastructure and incorporates the ability to download and execute a backdoored client. It modifies systems files like “/etc/init.d/network” to establish persistence.
The PHP backdoor is a fully-featured backdoor that supports 22 unique commands that allow it to switch C2 connections between TCP and UDP, launch a shell, download/upload files, perform file and directory operations, and run arbitrary PHP code. In addition, the framework makes it possible to fetch and run more PHP payloads by periodically polling the C2 server.
“These payloads are highly modular, capable of functioning independently or being executed sequentially via task_loader to form a comprehensive attack framework,” XLab said. “All code execution occurs within PHP or PHP-FPM (FastCGI) processes, ensuring no file payloads are left behind, thus achieving a stealthy footprint.”
One other notable aspect is the use of the HackBrowserData tool on systems used by cybercrime operators to steal sensitive information with a likely goal to inform future phishing or social engineering campaigns.
“In addition to targeting traditional ‘whitehat’ victims through cybercrime, Glutton demonstrates a strategic focus on exploiting cybercrime resources operators,” XLab said. “This creates a recursive attack chain, leveraging the attackers’ own activities against them.”
The disclosure comes weeks after the Beijing-headquartered firm detailed an updated version of the APT41 malware called Mélofée that adds improved persistence mechanisms and “embeds an RC4-encrypted kernel driver to mask traces of files, processes, and network connections.”
Once installed, the Linux backdoor is equipped to communicate with a C2 server to receive and execute various commands, including collecting device and process information, launching shell, managing processes, carrying out file and directory operations, and uninstalling itself.
“Mélofée offers straightforward functionality with highly effective stealth capabilities,” it said. “Samples of this malware family are rare, suggesting that attackers may limit its use to high-value targets.”
