Security researchers at QAX XLab have uncovered a sophisticated modular PHP backdoor named Glutton, attributed to the notorious Advanced Persistent Threat (APT) group Winnti (also known as APT41). This newly identified malware demonstrates advanced capabilities in targeting organizations across China and the United States, while employing an unusual strategy of compromising other cybercriminal operations.
Technical Analysis: Glutton’s Advanced Architecture and Capabilities
The Glutton backdoor implements a complex modular architecture comprising four essential components. The task_loader manages environmental checks, while the init_task handles backdoor installation procedures. Additionally, the client_loader performs code obfuscation, and the client_task maintains command-and-control (C2) communications and overall backdoor management. This modular design provides attackers with exceptional flexibility in conducting targeted operations.
Sophisticated Evasion Techniques and Deployment Methods
What sets Glutton apart is its advanced ability to masquerade as legitimate php-fpm processes and execute fileless operations entirely in memory. The malware specifically targets popular PHP frameworks, including ThinkPHP, Yii, Laravel, and Dedecms, injecting malicious code into their core files. This approach significantly complicates detection and removal efforts by traditional security solutions.
Strategic Persistence Mechanisms
To maintain long-term access, Glutton employs sophisticated persistence techniques through the modification of critical system files, particularly targeting /etc/init.d/network. In attacks focused on Chinese entities, the malware specifically compromises the widely-used Baota control panel, enabling the theft of administrative credentials and system configurations.
Innovative Criminal-on-Criminal Targeting Strategy
Perhaps the most intriguing aspect of Glutton’s deployment is Winnti’s strategy of targeting other cybercriminal operations. The group has been observed injecting the backdoor into malicious packages traded on underground forums, including fake cryptocurrency exchanges and gaming platforms. Once deployed, Glutton leverages the HackBrowserData tool to extract sensitive information from compromised systems, including credentials, cookies, and payment data.
First detected in December 2023 and fully analyzed by April 2024, Glutton represents a significant evolution in backdoor capabilities. Security experts recommend implementing comprehensive PHP process monitoring, regular system file integrity checks, and multi-layered web server security protocols. Organizations should particularly focus on monitoring unusual PHP-FPM process behavior and implementing strict access controls for web application frameworks. The emergence of this sophisticated threat underscores the critical importance of maintaining robust security practices and continuous system monitoring in today’s evolving threat landscape.
