446/67 Wednesday, December 18, 2024
Cybersecurity researchers from QiAnXin, a company in China, have revealed an advanced PHP backdoor called Glutton, a new tool associated with the Winnti group, which is linked to China. This backdoor targets multiple countries, including China, the United States, Cambodia, Pakistan, and South Africa. Glutton is designed in a modular way to evade detection, with all operations taking place in PHP code, including the use of the PHP-FPM feature, which prevents the malware from leaving behind files or digital traces in the system. When activated, the malware can inject malicious code into popular PHP frameworks such as Baota, ThinkPHP, Yii, and Laravel. Glutton was first discovered in December 2023 when researchers noticed unusual activity linked to an IP address distributing the backdoor targeting Unix systems. Further analysis revealed harmful PHP payloads and a complex attack infrastructure.
Despite some weaknesses in confidentiality and operations, QiAnXin researchers believe Glutton could be the work of the Winnti group, based on code samples and C2 protocol communication. However, the malware’s quality is below the usual standard of the Winnti group, such as using plain-text PHP code. The Winnti group, also known as APT41, is linked to the Chinese government and operates both as state-sponsored attackers and independent cybercriminals. Their malware has been used to target gambling companies in China, governments, and organizations worldwide. According to QiAnXin’s report, Glutton may be used to retaliate against other cybercriminal groups by utilizing their infrastructure to cover its tracks, which aligns with trends found by Microsoft, where the Russian-linked APT Turla group also used infrastructure from other groups. For prevention, system administrators are advised to monitor vulnerabilities in PHP systems and frameworks, as well as continuously update platforms and software to protect against increasingly sophisticated attacks.
Source https://cyberscoop.com/glutton-php-backdoor-winnti-apt-41-china/
