Winnti Hackers Unleash Glutton PHP Backdoor Targeting Cybercrime Ecosystem

Chinese cybersecurity researchers from QAX's XLab have uncovered a sophisticated PHP-based backdoor named 'Glutton', which targets organizations in multiple countries while simultaneously exploiting the cybercrime ecosystem itself.

Discovered in late April 2024, the Glutton malware is attributed with moderate confidence to the notorious Winnti hacking group, known for advanced cyber espionage campaigns. The backdoor demonstrates a unique approach by deliberately targeting systems within cybercrime markets, effectively turning criminal tools against their own operators.

The malware is designed as a highly modular framework capable of infecting PHP files across popular web frameworks like Baota, ThinkPHP, Yii, and Laravel. Its core functionality includes harvesting sensitive system information, dropping additional backdoor components, and performing sophisticated code injections.

Glutton's attack chain begins with a "task_loader" module that assesses the execution environment and retrieves additional components. The "init_task" component is responsible for downloading an ELF-based backdoor that masquerades as the FastCGI Process Manager, enabling it to infect PHP files and collect sensitive information.

Researchers noted some unusual characteristics about the malware, including uncharacteristically weak stealth techniques compared to typical Winnti operations. These include lack of encrypted command-and-control communications, usage of HTTP for payload downloads, and minimal obfuscation of malware samples.

A particularly intriguing aspect of Glutton is its strategy of infiltrating cybercrime forums like Timibbs, where enterprise hosts containing backdoors are advertised. By poisoning tools sold for gambling, gaming, and cryptocurrency operations, the attackers create a recursive attack mechanism that turns other cybercriminals into unwitting agents.

The malware's modular design supports 22 unique commands, allowing operators to switch command-and-control connections, launch shells, manage files, and execute arbitrary PHP code. This flexibility enables the attackers to maintain persistent access and expand their operational capabilities.

Geographical targeting appears focused on organizations in China, the United States, Cambodia, Pakistan, and South Africa, spanning sectors like IT services, social security, and web application development. The initial infection vectors likely involve exploiting zero-day and N-day vulnerabilities, as well as brute-force attacks.

XLab researchers emphasized that Glutton represents a strategic approach to cyber operations, demonstrating how threat actors can leverage the cybercrime ecosystem itself as an attack platform. By embedding backdoors in tools sold on underground forums, they create a self-propagating mechanism for intelligence gathering and potential future attacks.

Organizations are advised to carefully monitor PHP-based systems, implement robust input validation, and maintain updated security patches to mitigate potential Glutton infections. The discovery underscores the evolving sophistication of state-sponsored cyber threat actors in developing innovative infiltration techniques.

Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this. 

You may also like these articles: Here are the 5 most contextually relevant blog posts: