Cybercrime
,
Fraud Management & Cybercrime
Malware Exploits Cybercrime Ecosystem for Profit
Hackers are using a variant of a backdoor that’s the hallmark of a Chinese threat actor suspected of ties to Beijing in order to target the cybercriminal underground.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
<
Researchers at QiAnXin XLab uncovered a PHP-based backdoor they christened “Glutton,” writing Thursday that it “shares near-complete similarity” with the a backdoor exclusively used by the Winnti Group.
Despite its overlap with the Winnti backdoor, XLab researchers said they were unwilling to definitively attribute Glutton to the threat actor, instead linking it to the Winnti Group with moderate confidence. “From a technical perspective, Glutton demonstrates several shortcomings in stealth and execution, which seem uncharacteristically subpar,” Xlab wrote. Those shortcomings include a lack of encrypted communications with the command and control server and source code in plaintext.
“While Glutton’s delivery mechanisms strongly align with the Winnti Group, its lack of stealth and simplistic implementation introduce uncertainty.” Winnti has been active since 2010. Its activity overlaps with groups tracked as Axiom, APT17, and Ke3chang. The U.S. Department of Justice in 2020 said Winnti is also tracked as APT41, Wicked Panda, and Wicked Spider. It indicted five Chinese nationals for using Winnti malware in computer intrusions against U.S companies as well as well as pro-democracy politicians and activists in Hong Kong.
Whoever they are, Glutton operators are targeting systems used by cyber criminals, the majority of them located in China.
One sample on VirusTotal led to a fraudulent click-farming platform. Analysis showed another sample was embedded in an archive downloaded from the Timibbs cybercrime online market, where Glutton was available for $980. It’s possible that Glutton operators breached the forum, although it’s equally as possible that operators collaborate with the Timibbs or is a customer who embedded Glutton into a hacking tool.
“Regardless of the details, one thing is clear: Glutton’s authors exploited the cybercrime ecosystem itself, using poisoned tools to turn cybercrime operators into unwitting pawns,” XLab wrote.
The backdoor can extract sensitive system data, deploy an Executable and Linkable Format backdoor, and inject malicious code into widely used PHP frameworks like Baota, ThinkPHP, Yii and Laravel.
Glutton’s structure features modular payloads such as task_loader
, client_loader
and l0ader_shell
. These components function together, allowing attackers to infect PHP files, implant backdoors and conduct data exfiltration.
The malware operates stealthily within PHP or PHP-FPM (FastCGI) processes, leaving no files behind and ensuring its activities remain undetected.
The core functionalities of Glutton revolve around data exfiltration and backdoor installation. The malware targets critical system information like OS and PHP versions and sensitive data from Baota server management panels, including credentials and system management details.
The victims of Glutton span various sectors, particularly in IT services and business operations.