Alert: Critical PHP Framework Backdoor ‘Glutton’ Targets Laravel and ThinkPHP in Global Cyber Campaign

Alert: Critical PHP Framework Backdoor 'Glutton' Targets Laravel and ThinkPHP in Global Cyber Campaign

New PHP Backdoor ‘Glutton’ Targets Multiple Countries in Sophisticated Cyber Campaign

Security researchers at QiAnXin XLab have identified a new PHP-based backdoor called Glutton, targeting systems in China, the United States, Cambodia, Pakistan, and South Africa. The malware, discovered in April 2024, is tentatively linked to the Chinese state-sponsored group Winnti (APT41).

Key Features and Capabilities:
– Harvests sensitive system information
– Deploys ELF backdoor components
– Performs code injection against PHP frameworks (Baota, ThinkPHP, Yii, Laravel)
– Supports 22 unique commands for comprehensive system control
– Utilizes both TCP and UDP connections
– Enables file operations and arbitrary PHP code execution

Attack Methodology:
1. Initial access through zero-day exploits and brute-force attacks
2. Deployment of task_loader module for environment assessment
3. Installation of init_task component for backdoor deployment
4. Implementation of client_loader for persistence
5. Targeting of cybercrime operators using compromised enterprise hosts

Notable Characteristics:
– Shows similarities with Winnti’s PWNLNX tool
– Lacks typical APT stealth techniques
– Uses unencrypted HTTP communications
– Operates within PHP/PHP-FPM processes
– Employs HackBrowserData tool for information theft

The discovery follows the recent identification of Mélofée, another APT41 malware variant featuring enhanced persistence mechanisms and encrypted kernel drivers. While Glutton’s technical implementation appears less sophisticated than typical APT41 operations, its strategic targeting of both legitimate systems and cybercrime infrastructure demonstrates an evolved attack methodology.

Share This Article