Cybersecurity researchers have uncovered a new PHP-based backdoor dubbed Glutton, actively used in cyberattacks targeting regions like China, the United States, Cambodia, Pakistan, and South Africa. The malicious activity was identified by QiAnXin XLab in late April 2024, linking the attack with moderate confidence to the Chinese nation-state group Winnti (APT41).
Glutton Malware: No Honor Among Thieves
Interestingly, the researchers noted that Glutton’s creators have adopted an unconventional approach: they deliberately infiltrate the cybercrime market. By compromising tools and systems used by other cybercriminals, the attackers effectively turn their enemies’ resources against them — embodying the classic saying, “no honor among thieves.”
Targeted PHP Frameworks and Backdoor Capabilities
Glutton malware is designed to:
Harvest sensitive system data
Inject code into popular PHP frameworks like Baota (BT), ThinkPHP, Yii, and Laravel
Deploy an ELF-based backdoor component
The ELF malware bears striking similarities to a well-known Winnti tool, PWNLNX. Despite this, XLab noted some peculiarities: Glutton lacks the usual stealth techniques associated with Winnti, such as encrypted command-and-control (C2) communication, the use of HTTPS, and code obfuscation. The researchers described these shortcomings as “uncharacteristically subpar.”
Attack Chain: Modular and Persistent
Glutton operates as a modular malware framework, capable of infecting PHP files, planting backdoors, and exfiltrating sensitive data. Initial access is believed to occur through:
Exploitation of zero-day and N-day vulnerabilities
Brute-force attacks targeting weak credentials
One unconventional tactic involves attackers advertising compromised enterprise hosts on cybercrime forums. These hosts contain a backdoor known as l0ader_shell, injected into PHP files. This allows attackers to exploit other cybercriminals’ operations.
Core Modules Driving the Attack
The primary module in Glutton’s arsenal is task_loader, which assesses the execution environment and retrieves additional components. Key functionalities include:
init_task: Downloads an ELF backdoor (disguised as "/lib/php-fpm") to:
Infect PHP files with malicious payloads
Execute additional tasks and collect sensitive information
Modify system files for persistence
client_loader: A refined version of init_task that incorporates updated network infrastructure. It modifies critical system files (e.g., "/etc/init.d/network") to establish long-term persistence.
Advanced Backdoor Functionalities
The PHP backdoor supports 22 unique commands, enabling attackers to:
Switch C2 communication between TCP and UDP
Launch remote shells
Download and upload files
Perform file and directory operations
Execute arbitrary PHP code
The malware can also fetch and execute additional PHP payloads by regularly polling its C2 server. All malicious activities are executed within PHP or PHP-FPM (FastCGI) processes, ensuring no standalone payloads are left behind and maintaining a stealthy footprint.
Stealing Sensitive Data: HackBrowserData Tool
Another notable aspect is Glutton’s use of HackBrowserData, a tool deployed on systems operated by cybercriminals. Its goal appears to be stealing sensitive data to inform future phishing or social engineering attacks.
Turning Cybercrime on Itself
“Glutton demonstrates a strategic focus on exploiting cybercriminal resources, creating a recursive attack chain that leverages the attackers’ own activities against them,” XLab said. By weaponizing compromised tools, Glutton introduces a new layer of complexity into the cybercrime landscape.
Related Malware: APT41’s Mélofée Backdoor
The disclosure of Glutton follows closely on the heels of another discovery by XLab: an updated version of APT41’s Mélofée malware. Mélofée is equipped with:
Enhanced persistence mechanisms
An RC4-encrypted kernel driver for hiding files, processes, and network activity
Once installed, the Linux backdoor communicates with a C2 server to execute various tasks, including gathering system information, managing files, and launching remote shells. XLab noted that Mélofée’s rarity suggests it may be reserved for high-value targets.
Conclusion
The discovery of Glutton malware highlights a sophisticated yet unconventional strategy: infiltrating the cybercrime market to exploit cybercriminals’ own tools. Its modular design, combined with stealth techniques, presents a significant threat to PHP-based frameworks like Laravel and ThinkPHP. As cyber threats continue to evolve, organizations must prioritize proactive security measures to protect their systems from both traditional adversaries and unexpected threats.