Winnti Hackers Leverage New Glutton PHP Backdoor to Target Rivals and Organizations
The notorious Chinese hacking group Winnti, also known as APT41, is deploying a new PHP-based backdoor named “Glutton” in attacks targeting organizations in China and the United States, as well as rival cybercriminals. This discovery sheds light on Winnti’s evolving strategies in cyberespionage and financial theft.
Discovery and Capabilities of Glutton
Chinese security firm QAX’s XLab identified the Glutton malware in April 2024, with evidence suggesting its usage dates back to December 2023. While Glutton exhibits advanced capabilities as a modular backdoor, its stealth and encryption mechanisms reveal vulnerabilities, potentially indicating an early developmental stage.
Glutton operates as an ELF-based backdoor, designed for flexibility and stealth. Its modular structure includes the following key components:
task_loader: Identifies the target environment.
init_task: Facilitates backdoor installation.
client_loader: Obfuscates the operation.
client_task: Operates the PHP backdoor and manages communication with the command-and-control (C2) server.
The malware’s fileless execution mechanism ensures no payloads are left on the system, enhancing its stealth. It masquerades as a “php-fpm” process and employs dynamic in-memory execution to inject malicious code (“l0ader_shell”) into PHP frameworks such as ThinkPHP, Yii, Laravel, and Dedecms. To maintain persistence, Glutton modifies system files and Baota panel files, enabling credential theft and configuration access.
A Campaign Targeting Organizations and Rivals
Winnti has leveraged Glutton to attack IT services, social security agencies, and web application developers in China and the U.S. The backdoor’s 22 commands allow for comprehensive actions, such as:
File creation, modification, and deletion
Shell command execution
PHP code evaluation
Directory scanning
Metadata retrieval
TCP and UDP connection switching
C2 configuration updates
Additionally, Glutton targets rival cybercriminals by embedding itself within software packages sold on cybercrime forums like Timibbs. These trojanized packages impersonate tools such as gambling systems, fake cryptocurrency exchanges, and click-farming platforms. Once installed, Glutton uses tools like HackBrowserData to exfiltrate sensitive information, including passwords, cookies, and credit card details, from compromised systems.
“Black Eats Black” Strategy
XLab’s analysis suggests that Winnti employs a “black eats black” strategy, using Glutton to exploit other cybercriminals. For instance, when rival hackers attempt to debug or modify infected software, Glutton’s operators deploy HackBrowserData to steal high-value data, effectively turning the attackers into victims. This strategy reflects Winnti’s sophistication and opportunistic approach to cybercrime.
Indicators of Compromise and Unresolved Questions
XLab has shared indicators of compromise linked to this campaign, which has persisted for over a year. However, the initial access vector for Glutton remains unclear. Organizations using PHP frameworks and Baota web panels are particularly at risk and should implement robust security measures to detect and mitigate potential breaches.
No comments:
Post a Comment