QiAnXin XLab's Cyber Threat Insight and Analysis System (CTIA) recently discovered "Glutton," a new, advanced PHP backdoor.
QiAnXin XLab's Cyber Threat Insight and Analysis System (CTIA) recently discovered "Glutton," a new, advanced PHP backdoor. This malware is unusual because it targets both traditional victims and cybercriminals.
CTIA first noticed Glutton on April 29, 2024, observing the IP address 172.247.127.210 distributing an ELF-based Winnti backdoor. Winnti is malware often used by advanced persistent threat (APT) groups to target software supply chains. The discovery of the malicious PHP file "init_task.txt" from the same IP on December 20, 2023, prompted further investigation, revealing the Glutton framework.
Glutton is a modular framework designed for fileless execution within PHP or PHP-FPM processes, leaving little evidence of its presence. It is used for data exfiltration (stealing system information and sensitive Baota panel data), backdoor installation (deploying both Winnti and PHP-based backdoors), and code injection into popular PHP frameworks like Baota (BT), ThinkPHP, Yii, and Laravel.
To start its attack, Glutton uses the task_loader component to assess the infected system's environment. It then downloads the necessary modules, like init_task, which handles the actual backdoor installation by deploying the Winnti component and injecting malicious code into PHP files. This injected code then establishes communication with the command-and-control (C2) server, from which it can receive one of 22 possible commands, including basic file operations (create, read, write, delete, modify), running shell commands, executing PHP code, scanning directories, grabbing system info, switching network connections (TCP/UDP), and even updating its own C2 settings. Glutton also modifies system files like /etc/init.d/network to ensure it stays put after restarts.
The use of a Winnti backdoor and a C2 server (156.251.163[.]120) active during the observed attacks initially strongly suggested the Winnti APT group's involvement. However, Glutton has some surprising weaknesses for something supposedly made by Winnti, like unencrypted C2 communications, an HTTP downloader, unobfuscated PHP code, and weak infrastructure security. Despite these issues, researchers are still tentatively pointing the finger at the Winnti group (moderate confidence) based on the Winnti backdoor sample and the C2 infrastructure.
Glutton is estimated to have been active for over a year, targeting victims primarily in China and the United States, spanning sectors such as IT services, business operations, and social security. It also targeted the cybercrime market. VirusTotal analysis revealed Glutton embedded within tools and resources—including a fraudulent click-farming platform—sold on cybercrime forums. This "no honor among thieves" strategy suggests Glutton's operators are actively stealing data and resources from other cybercriminals. To stay safe, admins can:
- Check PHP files for l0ader_shell.
- Kill any Winnti or PHP backdoor processes.
- Lock down their /tmp directory (like by adding a .donot file).
Want your digital assets to be protected?
CyberShelter provides innovative and modern cybersecurity products and niche services to individuals and organization against all kinds of cyber threats.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.