Full Report
2024-12-12 • XLab • XLab Team • elf.winnti Open article on Malpedia
Analysis Summary
# Tool/Technique: Glutton
## Overview
Glutton is a newly identified, highly evasive PHP web shell (backdoor) designed to evade modern detection methods. It is reportedly being used by actors associated with the Winnti operation group, aiming to establish persistent access via compromised web servers.
## Technical Details
- Type: Malware (Backdoor/Web Shell)
- Platform: PHP (targeting web servers running PHP)
- Capabilities: Credential harvesting, file manipulation, remote command execution, obfuscation for anti-detection.
- First Seen: Mid-to-late 2024 (inferred from the article date)
## MITRE ATT&CK Mapping
*Note: Specific mappings require deeper analysis of the malware's behavior, but common web shell tactics apply.*
- **TA0003 - Persistence**
- T1505 - Server Software Component: Web Shell
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- **TA0011 - Command and Control**
- T1105 - Ingress Tool Transfer (If used to download other tools)
## Functionality
### Core Capabilities
- **Remote Command Execution (RCE):** Ability to execute arbitrary operating system commands via web requests.
- **File System Manipulation:** Uploading, downloading, modifying, and deleting files on the compromised host.
- **Credential Harvesting:** Specifically designed to target and extract sensitive data accessible by the web server process (e.g., configuration files, database credentials).
### Advanced Features
- **Zero-Detection Evasion:** The malware employs advanced obfuscation techniques specifically designed to bypass modern web application firewalls (WAFs) and signature-based antivirus/security solutions, leading to "zero-detection" status at the time of analysis.
- **Stealthy Communication:** Likely utilizes non-standard HTTP requests or domain-fronting techniques (common in Winnti infrastructure, though not explicitly detailed here) to communicate with C2.
## Indicators of Compromise
- File Hashes: [Information not provided in the context snippet]
- File Names: [Information not provided in the context snippet, though likely a common PHP file extension or highly obfuscated name]
- Registry Keys: [Not applicable for standard PHP web shell placement]
- Network Indicators: [Information not provided in the context snippet]
- Behavioral Indicators: Unusually high outbound traffic or file modification activity originating from the web application process, execution of system commands via web requests (e.g., usage of `system()`, `exec()`, or base64-encoded shell functions in PHP).
## Associated Threat Actors
- Winnti (Alias for the threat group associated with the malware lineage).
## Detection Methods
- Signature-based detection: Likely ineffective initially due to its "zero-detection" nature.
- Behavioral detection: Monitoring for the invocation of standard operating system commands (like `whoami`, `ls`, `cat`, `cmd.exe`) directly through the HTTP request parameters processed by PHP scripts.
- YARA rules: Custom YARA rules targeting unique string signatures or embedded logic unique to Glutton's obfuscation layer would be necessary.
## Mitigation Strategies
- Web Application Firewalls (WAF): Ensure WAFs are configured for deep content inspection and anomaly detection, not just signature matching.
- Principle of Least Privilege: Ensure the web server process runs with the minimum necessary permissions to drastically limit the damage a successful web shell can inflict.
- Patching and Hardening: Regularly update PHP versions and web server software; restrict execution permissions in web-accessible directories where possible.
## Related Tools/Techniques
- DarkCracks (Mentioned in context, suggesting possibly similar supply chain/delivery techniques used by related groups although DarkCracks is a payload delivery framework, not a PHP backdoor).
- Other sophisticated PHP web shells (e.g., China Chopper variants, WSO shell).