Summary:
QiAnXin XLab researchers have uncovered the use of a new PHP backdoor named Glutton they have observed in a global campaign targeting China, the United States, Cambodia, Pakistan, and South Africa. The malicious activity was discovered in April 2024 and Glutton has been attributed to the Chinese nation-state group APT41 (Winnti) with moderate confidence. To the researchers' surprise, some of these Glutton attacks are part of targeted operations against cybercrime systems. Glutton is designed to harvest sensitive system information, drop an ELF backdoor component, and perform code injection against popular PHP frameworks like Baota (BT), ThinkPHP, Yii, and Laravel. The ELF backdoor component of Glutton is a near mirror image of a known APT41 tool, PWNLNX. Despite this similarity, XLab finds that the adversary in this attack doesn’t utilize any of the typical stealth techniques associated with APT41. The adversary uses unencrypted C2 communication over HTTP to download payloads. The payload samples are devoid of obfuscation. Initial access is believed to be achieved via zero-day exploitation and brute-force attempts. Another unconventional approach involves advertising on cybercrime forums compromised enterprise hosts containing l0ader_shell, a backdoor injected into PHP files, effectively allowing the operators to mount attacks on other cybercriminals.

Security Officer Comments:
Glutton is a modular malware framework capable of infecting PHP files on target devices and planting backdoors for additional payload deployments and long-term espionage operations involving collecting sensitive information and modifying system processes for persistence. This is the second APT41 report published by XLab in the last month regarding APT41 activity highlighting that this is an active group making constant updates to signature malware. The strategy to exploit cybercrime resources operators creates an effective and recursive campaign that leverages other attackers' infrastructure against them. Victims of these attacks were primarily located in the US and China. XLab was able to uncover a wider network of assets that potentially enable the adversary to extend the campaign’s reach. Based on the initial discovery of init_task, XLab approximates that Glutton has been active undetected in the cybersecurity landscape for over a year. The attacker’s focus on exploiting other cybercriminals’ resources underscores the recent trend of cybercriminals, especially APTs, stealing or sharing other group’s malicious resources.

Suggested Corrections:
IOCs are available here.

Multi-factor authentication (MFA) is by far the best defense against the majority of password-related attacks, including credential stuffing and password spraying, with analysis by Microsoft suggesting that it would have stopped 99.9% of account compromises. As such, it should be implemented wherever possible; however, depending on the audience of the application, it may not be practical or feasible to enforce the use of MFA.

In order to balance security and usability, multi-factor authentication can be combined with other techniques to require for 2nd factor only in specific circumstances where there is reason to suspect that the login attempt may not be legitimate, such as a login from:

• A new browser/device or IP address.
• An unusual country or location.
• Specific countries that are considered untrusted.
• An IP address that appears on known block lists.
• An IP address that has tried to login to multiple accounts.
• A login attempt that appears to be scripted rather than manual.

Additionally, for enterprise applications, known trusted IP ranges could be added to an allow list so that MFA is not required when users connect from these ranges.

Link(s):
https://thehackernews.com/2024/12/new-glutton-malware-exploits-popular.html

https://blog.xlab.qianxin.com/glutton_stealthily_targets_mainstream_php_frameworks-en/