Security researchers at QAX’s XLab have uncovered a new PHP backdoor named ‘Glutton’ being utilized by the Chinese state-sponsored hacking group Winnti (APT41) since December 2023. The malware targets organizations in China and the United States, while also launching attacks against other cybercriminals.
Technical Overview:
– Glutton is an ELF-based modular backdoor with four core components:
– task_loader (environment assessment)
– init_task (backdoor installation)
– client_loader (obfuscation)
– client_task (PHP backdoor operation and C2 communication)
Key Capabilities:
– Fileless execution through dynamic in-memory operations
– Code injection into popular PHP frameworks (ThinkPHP, Yii, Laravel, Dedecms)
– System persistence via modification of network initialization files
– Credential theft from Baota panel
– 22 different C2 server commands for system control
Target Scope:
– IT service providers
– Social security agencies
– Web application developers
– Other cybercriminals via trojanized software
Notable Attack Strategy:
The group employs a “black eats black” approach by embedding Glutton in fake software packages sold on cybercrime forums. When cybercriminals deploy these packages, the HackBrowserData tool is activated to steal sensitive information including:
– Passwords
– Cookies
– Credit card data
– Browsing history
While the initial infection vector remains unknown, the campaign has been active for over a year, demonstrating Winnti’s continued evolution in cyber espionage and financial theft operations.