Full Report
Cybersecurity researchers have discovered a new PHP-based backdoor called Glutton that has been put to use in cyber attacks targeting China, the United States, Cambodia, Pakistan, and South Africa. QiAnXin XLab, which discovered the malicious activity in late April 2024, attributed the previously unknown malware with moderate confidence to the prolific Chinese nation-state group tracked Winnti (
Analysis Summary
# Tool/Technique: Glutton
## Overview
Glutton is a newly discovered, modular, PHP-based backdoor framework intentionally designed to target and compromise systems within the cybercrime market, effectively "turning the tools of cybercriminals against them." It is capable of harvesting system information, implanting an ELF backdoor, and performing code injection against popular PHP frameworks.
## Technical Details
- Type: Malware Family (Backdoor Framework)
- Platform: Linux (due to ELF component), targeting PHP environments on web servers.
- Capabilities: PHP file infection, ELF backdoor deployment, information harvesting, code injection into PHP frameworks, modular command execution.
- First Seen: Late April 2024
## MITRE ATT&CK Mapping
*Note: Since specific command execution details are provided, mappings reflect the likely broad capabilities. Exact mappings would require deeper analysis of the specific modules.*
- T1059 - Command and Scripting Interpreter
- T1059.009 - Command and Scripting Interpreter: **OS Command and Scripting Interpreter: PHP**
- T1071 - Application Layer Protocol
- T1071.001 - Application Layer Protocol: **Web Protocols (HTTP/S)**
- TA0003 - Persistence
- T1543.003 - Create or Modify System Process: **Systemd Service** (Implied via modification of system files for persistence)
- TA0009 - Collection
- T1005 - Data from Local System
- T1083 - File and Directory Discovery
## Functionality
### Core Capabilities
- **Infection and Code Injection:** Infects existing PHP files on target devices and injects malicious code for execution within PHP or PHP-FPM processes.
- **Modular Structure:** Utilizes core modules like `task_loader` (environment assessment and component fetching) and `init_task`/`client_loader` (for downloading and executing the ELF component).
- **Information Harvesting:** Collects sensitive system information.
- **Backdoor Deployment:** Downloads and executes a disguised ELF backdoor component, often masquerading as the FastCGI Process Manager (`/lib/php-fpm`).
### Advanced Features
- **Cross-Protocol C2:** Supports switching Command and Control (C2) connections between TCP and UDP.
- **Recursive Attack Chain:** Targets cybercriminal operators by deploying compromised enterprise hosts (containing `l0ader_shell`) for subsequent attacks against others.
- **Stealth:** Executes code entirely within PHP or PHP-FPM processes to minimize residual file footprints.
- **Persistence:** Modifies system files, such as `/etc/init.d/network`, to establish persistence.
- **External Tool Integration:** Uses the stolen sensitive information tool **HackBrowserData** on compromised cybercrime operator systems to inform future social engineering/phishing campaigns.
- **Extensive Command Set:** Supports 22 unique commands, including shell operations, file/directory manipulation, and arbitrary PHP code execution.
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names:
- ELF Backdoor masquerading as FastCGI Process Manager: `/lib/php-fpm`
- Backdoor injected into PHP files: `l0ader_shell`
- Registry Keys: [Not applicable/Provided for Linux]
- Network Indicators:
- C2 using unencrypted HTTP (instead of HTTPS) for payload downloads.
- C2 communications switchable between TCP and UDP protocols.
- Behavioral Indicators:
- Modification of system files like `/etc/init.d/network`.
- Code executing within the context of PHP or PHP-FPM processes.
- Periodic polling of the C2 server for new PHP payloads.
## Associated Threat Actors
- **Winnti (aka APT41):** Attributed with moderate confidence due to similarities between the dropped ELF malware and a known Winnti tool, PWNLNX.
## Detection Methods
- Signature-based detection: Signatures targeting specific known file hashes or unique code snippets within the PHP implants.
- Behavioral detection: Monitoring for processes executing malicious code within legitimate PHP/PHP-FPM contexts, modifications to system startup/network configuration files (`/etc/init.d/network`), and use of unencrypted (HTTP) C2 communications.
- YARA rules: Rules targeting the unique strings or structure of the Glutton PHP code or the associated ELF component.
## Mitigation Strategies
- Prevention measures: Apply timely patches for zero-day and N-day vulnerabilities often exploited for initial access (e.g., related to ThinkPHP, Yii, Laravel, or Baota).
- Hardening recommendations:
- Secure web server configurations, strictly limiting process execution rights for web application users.
- Implement strong network monitoring to detect anomalous TCP/UDP traffic originating from web services.
- Employ WAFs (Web Application Firewalls) to detect and block PHP code injection attempts.
- Transition all C2 communications to encrypted channels (HTTPS/SSL/TLS).
## Related Tools/Techniques
- **PWNLNX:** The known Winnti tool whose ELF component shares near-complete similarity with the ELF backdoor dropped by Glutton.
- **Mélofée:** Another malware recently detailed by QiAnXin XLab, associated with APT41, which uses RC4-encrypted drivers for stealth.