Popular PHP-based frameworks like Laravel and ThinkPHP have been found to be targeted by a new backdoor named Glutton. The targets have been in regions like the USA, Cambodia, Pakistan, and South Africa. The initial investigations done by the researchers reveal an interesting scenario of cybercriminals deliberately targeting other cyber criminals through the toolset they use to conduct cybercrimes.
Glutton aims to exfiltrate sensitive system information by delivering an ELF backdoor and performing code injections against popular PHP frameworks like ThinkPHP, Laravel, YII, etc. The ELF malware also shares similarities with a known Winnti tool known as PWNLNX, but it does not use an encrypted command and control(C2) communication and uses HTTP instead of HTTPS for downloading its payload.
The initial access is believed to be gained through zero-day or brute force attacks, after which Glutton infects the file present on the target system. Another mode of luring the prey involves putting advertisements on cybercrime forums for compromised enterprise hosts containing l0ader_shell, a backdoor injected into PHP files, effectively allowing the operators to mount attacks on other cyber criminals.
The module named “task_loader” assesses the execution environment, and then it uses “init_task”, to further download the ELF backdoor that masquerades as FastCGI Process Manager, thus infecting system files for data exfiltration and modification. The PHP backdoor is a fully-featured backdoor that supports 22 unique commands that allow it to switch C2 connections between TCP and UDP, launch a shell, download/upload files, perform file and directory operations, and run arbitrary PHP code. In addition, the framework makes it possible to fetch and run more PHP payloads by periodically polling the C2 server.
The activity was discovered by researchers at QiAnXin XLab who attributed the previously unknown malware with moderate confidence to the prolific Chinese nation-state group tracked Winnti (aka APT41).
