Cyber security news for all

More

    Glutton Malware Weaponizes PHP Frameworks Like Laravel and ThinkPHP

    Cybersecurity experts have unveiled a sophisticated PHP-based malware, dubbed Glutton, which has surfaced in targeted cyber assaults across China, the United States, Cambodia, Pakistan, and South Africa.

    This newly identified backdoor was detected by QiAnXin XLab in late April 2024, with researchers tentatively linking it to the infamous Chinese state-sponsored group known as Winnti (also referred to as APT41) with moderate confidence.

    “Intriguingly, our analysis indicates that Glutton’s developers intentionally infiltrated the cybercrime ecosystem,” QiAnXin XLab stated. “By compromising their tools, the creators sought to weaponize the infrastructure of cybercriminals against themselves, encapsulating the ethos of ‘no honor among thieves.'”

    Exploiting Popular PHP Frameworks

    Glutton functions as a multifaceted tool, capable of exfiltrating sensitive system data, deploying ELF backdoor components, and embedding malicious code into widely used PHP frameworks, including Baota (BT), ThinkPHP, Yii, and Laravel. The ELF backdoor bears a striking resemblance to an established Winnti tool known as PWNLNX, indicating a possible lineage.

    However, the researchers noted anomalies. The lack of sophisticated obfuscation and secure command-and-control (C2) communications—a hallmark of Winnti operations—raises questions about direct attribution. For instance, Glutton’s use of unencrypted HTTP protocols to deliver payloads and the absence of stealth measures such as encrypted C2 channels were deemed uncharacteristically rudimentary.

    Modular and Adaptable Framework

    At its core, Glutton operates as a modular malware system designed to infect PHP files and establish persistent backdoors. Initial infiltration appears to exploit both zero-day vulnerabilities and publicly known (N-day) security flaws, supplemented by brute-force techniques.

    A particularly unconventional vector involves advertising compromised enterprise systems on underground forums. These systems are injected with l0ader_shell, a malicious backdoor hidden within PHP files, enabling attackers to weaponize their foothold against other cybercriminals.

    Task-Oriented Attack Mechanisms

    The task_loader module orchestrates the primary attack framework by assessing the execution environment and fetching additional modules. Key components include:

    1. init_task – Downloads and deploys an ELF backdoor disguised as the FastCGI Process Manager (“/lib/php-fpm”). This module infects PHP files, harvests sensitive information, modifies critical system files, and executes further payloads.
    2. client_loader – A re-engineered variant of init_task that leverages an updated infrastructure. This module can install a compromised client and alter system files such as “/etc/init.d/network” to ensure persistence.

    The backdoor supports a comprehensive array of 22 commands, enabling attackers to toggle C2 connections between TCP and UDP, execute PHP code, manipulate files and directories, and upload or download data. Additionally, the modular framework periodically queries the C2 server, retrieving further payloads to execute in sequence, thus forming a seamless and adaptive attack system.

    Stealth Through PHP Processes

    All malicious operations occur within PHP or FastCGI processes, leaving minimal forensic evidence. By avoiding the creation of persistent file-based payloads, the malware maintains a low-profile presence on infected systems.

    Targeting Cybercriminals

    One of Glutton’s standout tactics is its deliberate focus on cybercrime operators. The malware deploys the HackBrowserData tool to extract sensitive credentials and browsing information from systems controlled by these operators. This data likely serves as intelligence for future phishing or social engineering campaigns.

    “Glutton is emblematic of recursive attack strategies, leveraging the resources of cybercrime actors themselves to propagate its impact,” QiAnXin XLab elaborated.

    Context and Evolution

    This revelation follows XLab’s disclosure of Mélofée, an evolved malware attributed to APT41, which introduced encrypted kernel drivers for advanced persistence and stealth. This Linux backdoor communicates with C2 servers to execute commands, retrieve system details, manipulate files, and manage processes while masking its activities.

    “Mélofée exemplifies a blend of simplicity and effectiveness, with a focus on high-value targets,” XLab noted. The rarity of its samples suggests a deliberate, precision-driven approach to deployment.

    Recent Articles

    Related Stories