A new PHP-based backdoor, Glutton, was deployed by the Winnti group, which delivered via a malicious PHP file, injects code into popular PHP frameworks to install a Winnti backdoor.Â
While the Winnti backdoor is a signature tool of the group, Glutton’s simplistic design and weak security measures suggest potential limitations in the attack’s sophistication.
Glutton, a sophisticated malware, exploited the cybercrime ecosystem by targeting systems within the market, primarily targeting Chinese and American victims across various industries, and was distributed through infected PHP scripts and business systems.
The systems, often sold on platforms like Timibbs, were compromised with backdoors to allow remote access and control, likely executed by a skilled hacker or a group, which highlights the intricate nature of cybercrime and the potential for malicious actors to turn the tables on their peers.
A modular PHP-based attack framework leverages multiple infection vectors, including exploiting vulnerabilities and weak passwords or distributing pre-compromised systems with embedded backdoors.
Once installed, it injects PHP files with a malicious loader, enabling the deployment of backdoors like Winnti and PHP-based ones, which establish covert communication channels, facilitating persistent control over the infected system.
In order to evaluate the environment and select a method to download the next-stage payload, the attack that Glutton uses makes use of the task_loader technology.
The init_task payload then performs three main actions: 1) installing the Winnti backdoor disguised as a system library, 2) infecting Baota control panels to steal credentials and modify files, and 3) injecting malicious code into popular PHP frameworks for further payload delivery.Â
The Baota infection process involves collecting a variety of sensitive information and uploading it to the attacker’s server, while the PHP framework injection alters specific code lines to establish communication with the attacker and download additional malicious payloads.
Winnti malware variant art3 utilizes the client_loader module, a refactored version of init_task with obfuscated code and updated communication infrastructure, which introduces a backdoored PHP client offering cross-platform compatibility, fileless execution, and potential AV evasion.
The client_task module then leverages this client for C2 communication (TCP/UDP), command execution (22 commands including shell access and file transfer), and periodic payload retrieval via the fetch_task function (currently fetches client_loader itself).
Glutton, a PHP backdoor, uses the do_tp5_request function to clean up older infections and communicates with a previously undetected domain jklwang.com, hinting at a broader infrastructure.
It also leverages the legitimate HackBrowserData tool, typically used to extract browser data like passwords and history, in a “black eats black” strategy.Â
This allows Glutton’s operators to steal sensitive information from other cybercriminals who might be trying to tamper with the backdoored systems, which creates a layered attack where attackers’ actions are used against them.
According to XLab, the Glutton backdoor, active for over a year, targets both traditional and cybercrime actors and steals sensitive information, leverages infected systems for profit, and harvests data for future attacks.Â
To mitigate threats, administrators should inspect PHP files for malicious code, remove malicious processes, and harden temporary directories, as the initial access vector remains unknown.