Full Report
The Glutton backdoor, a modular PHP-based malware framework, has been observed targeting systems in China, the U.S., Cambodia, Pakistan, and South Africa. The malware, linked with moderate confidence to the Chinese nation-state group Winnti, showcases unique behavior by target...
Analysis Summary
# Threat Actor: Winnti (Linked to Glutton Backdoor)
## Attribution & Identity
* **Identification:** Chinese nation-state group.
* **Confidence:** Moderate confidence link established between the Glutton backdoor activity and Winnti.
* **Known Aliases/Associated Groups:** Winnti.
## Activity Summary
The primary activity summarized involves the deployment and use of the Glutton backdoor, a modular PHP-based malware framework. This framework has been used to target external systems in various countries. A unique aspect of this activity is the dual targeting approach: attacking traditional victims while also targeting cybercrime operators by embedding the backdoor into compromised business systems and cybercrime tools sold on forums ("no honor among thieves" approach).
## Tactics, Techniques & Procedures
* **Initial Access:** Unknown.
* **Execution/Infection:** Infecting PHP files with malicious code, embedding the `l0ader_shell` payload.
* **Persistence/Defense Evasion:** Dropping ELF-based Winnti backdoors that masquerade as `/lib/php-fpm` to integrate with legitimate processes.
* **Lateral Movement/Discovery:** Leveraging the HackBrowserData tool to steal sensitive browser data (passwords, cookies, history).
* **Framework Structure:** Utilizing a modular framework with components like `task_loader`, `init_task`, `client_loader`, `client_task`, and `fetch_task` for fileless execution.
* **MITRE ATT&CK IDs:** N/A (Not explicitly provided in the context).
## Targeting
* **Sectors:** Cybercrime ecosystem operators (targeting tools sold on forums); General business systems.
* **Geography:** China, the U.S., Cambodia, Pakistan, and South Africa.
* **Victims:** Systems utilizing popular PHP frameworks (Baota (BT), ThinkPHP, Yii, and Laravel). Cybercrime operators selling compromised software.
## Tools & Infrastructure
* **Malware Families Used:** Glutton backdoor (modular PHP framework), `l0ader_shell` payload, ELF-based Winnti backdoors.
* **Infrastructure:** HackBrowserData tool (for intelligence theft).
* **Defanged URLs/IPs:** N/A
## Implications
The use of the Glutton backdoor by an actor potentially linked to Winnti demonstrates a sophisticated approach to resource exploitation. By infecting tools and systems sold on cybercrime forums, the actor effectively poisons the supply chain for other malicious actors, achieving persistence and intelligence gathering against both legitimate targets and cybercriminal peer groups. The fileless nature of the attack against PHP targets increases stealth.
## Mitigations
* Monitor for unexpected PHP file modifications, especially within deployed web application frameworks.
* Review processes masquerading as `/lib/php-fpm` for signs of non-standard ELF binaries.
* Implement strict controls on the integrity and acquisition source of business systems and cybercrime tools intended for internal or client use.
* Monitor for the deployment or execution of data-scraping utilities like HackBrowserData on compromised systems.