Winnti hackers target other threat actors with new Glutton PHP backdoor

​The Chinese Winnti hacking group is using a new PHP backdoor named ‘Glutton’ in attacks on organizations in China and the U.S., and also in attacks on other cybercriminals.

Chinese security firm QAX’s XLab discovered the new PHP malware in late April 2024, but evidence of its deployment, along with other files, dates back to December 2023.

XLab comments that, while Glutton is an advanced backdoor, it has notable weaknesses in stealth and encryption, which might be an indication that it’s in an early development phase.

Winnti, also known as APT41, is a notorious Chinese state-sponsored hacking group known for cyberespionage and financial theft campaigns.

Since its appearance on the scene in 2012, the group has targeted organizations in the gaming, pharmaceuticals, and telecommunications industries, while it has also attacked political organizations and government agencies.

New Glutton backdoor

Glutton is an ELF-based modular backdoor that provides flexibility and stealth to the Winnti hackers, allowing them to activate specific components for tailored attacks.

Its core components are ‘task_loader,’ which determines the environment; ‘init_task,’ which installs the backdoor; ‘client_loader,’ which introduces obfuscation; and ‘client_task,’ which operates the PHP backdoor and communicates with the command-and-control (C2) server.

“These payloads are highly modular, capable of functioning independently or being executed sequentially via task_loader to form a comprehensive attack framework,” explains XLab.

“All code execution occurs within PHP or PHP-FPM (FastCGI) processes, ensuring no file payloads are left behind, thus achieving a stealthy footprint.”

The backdoor, which masquerades as a ‘php-fpm’ process, facilitates fileless execution by dynamic in-memory execution and injects malicious code (‘l0ader_shell’) into PHP files on ThinkPHP, Yii, Laravel, and Dedecms frameworks.

Glutton modifies system files like ‘/etc/init.d/network’ to establish persistence between reboots and can also modify Baota panel files to maintain foothold and steal credentials and configurations.

Apart from Baota, the malware can also exfiltrate system information and data from the filesystem.

Glutton supports 22 commands received from the C2 server, which order the following actions:

• Create, read, write, delete, and modify files
• Execute shell commands
• Evaluate PHP code
• Scan system directories
• Retrieve host metadata
• Switch between TCP and UDP connections
• Update the C2 configuration

Targeting other cybercriminals

XLab says Winnti has deployed Glutton on targets in China and the USA, primarily targeting IT services, social security agencies, and web app developers.

Code injection is used against popular PHP frameworks used for web development, commonly found in business-critical applications, including ThinkPHP, Yii, Laravel, and Dedecms.

The Baota web panel, a popular server management tool in China, is also targeted as it is commonly used to manage sensitive data, including MySQL databases.

The threat actors are also actively using Glutton to actively hunt other hackers, embedding it inside software packages sold on cybercrime forums like Timibbs. These trojanized software packages impersonate gambling and gaming systems, fake cryptocurrency exchanges, and click-farming platforms.

Once the cybercriminals’ systems are infected, Glutton deploys the ‘HackBrowserData’ tool to extract sensitive information from web browsers, such as passwords, cookies, credit cards, download history, and browsing history.

“We hypothesize that HackBrowserData was deployed as part of a “black eats black” strategy,” explains XLabs.

“When cybercriminals attempt to locally debug or modify backdoored business systems, Glutton’s operators deploy HackBrowserData to steal high-value sensitive information from the cybercriminals themselves. This creates a recursive attack chain, leveraging the attackers’ own activities against them.”

XLabs shared indicators of compromise related to this Winnti campaign, which has been underway for over a year. However, the initial access vector remains unknown.