Cybersecurity firm QiAnXin XLab has identified a new PHP backdoor named Glutton, which has been leveraged in targeted cyberattacks across multiple countries, including China, the United States, Cambodia, Pakistan, and South Africa. This malware, tied with moderate confidence to the Chinese state-sponsored group Winnti (also known as APT41), has drawn attention due to its unique approach of targeting cybercriminals themselves.
QiAnXin XLab uncovers Glutton backdoor used in cyberattacks
Glutton, discovered in late April 2024 but believed to have been deployed as early as December 2023, is engineered to gather sensitive system information and execute malicious code on popular PHP frameworks like Laravel, ThinkPHP, and Yii. The backdoor drops an ELF component and has been characterized as having “near-complete similarity” with Winnti’s known tool PWNLNX. However, researchers noted a “lack of stealth techniques” typical of Winnti campaigns, which suggests that the malware may still be in development.
The Glutton malware operates through various modules, with the “task_loader” module playing a critical role by assessing the execution environment. The main functions supported by the backdoor include code injection, creating persistence, and communicating with command-and-control (C2) servers over unsecured HTTP.
What is Glutton?
Glutton is a modular malware framework that executes its operations without leaving traditional file-based evidence, achieving stealth by executing instructions within the PHP or PHP-FPM processes. This approach allows it to drop payloads dynamically while evading detection mechanisms commonly employed by cybersecurity tools. The framework includes components like “init_task,” which installs the backdoor, and “client_loader,” which introduces refined network protocols to enhance its deployment capabilities.
Glutton’s command set is extensive, allowing for a range of operations such as file manipulation, command execution, and the ability to switch between TCP and UDP for C2 connections. It supports 22 unique commands that enable actions like retrieving host metadata and executing arbitrary PHP code. The backdoor’s ability to modify critical system files, including those associated with network settings, ensures its persistence even after system reboots.
Serbian police allegedly use NoviSpy spyware to monitor journalists
Investigations reveal that the malware’s authors are using Glutton not just for traditional espionage but also to turn cybercrime operations against other attackers. By embedding Glutton within accessible software packages sold on cybercrime forums, primarily targeting scammers selling deceptive services, the creators have positioned the backdoor to extract sensitive data from rival cybercriminals through tools like HackBrowserData.
The targeting strategy reflects an innovative approach described by XLab as “black eats black,” indicating a tactic where Winnti infiltrates and undermines rival adversaries in the cybercrime sector. Glutton has reportedly been used against systems belonging to IT service providers, social security agencies, and web app developers, focusing on widely-used tools in the cybercriminal ecosystem.
The malware was discovered within compromised environments using popular PHP frameworks, which are critical to the functioning of numerous business applications.
Featured image credit: James Yarema/Unsplash
