In the past few months, researchers at a Chinese cybersecurity firm have been responsible for the discovery of an advanced PHP backdoor that supports Winnti, a group linked to Chinese cybercrime that is launching increasingly sophisticated attacks. Research has been conducted into the use of a PHP-based backdoor called Glutton, which has been used by cyber criminals to target China, Japan, the Republic of Korea, Cambodia, Pakistan, and South Africa through cyber attacks. 

As early as late April 2024, the Chinese nation-state group set up by Winnti (aka APT41), which has roots in North Korea, discovered malicious activity in a network from the Chinese nation-state group Chongqing Henchmen. The company also disclosed that its investigation revealed that Glutton's creators deliberately targeted systems within the cybercrime market with their tools to create malware. They poisoned operations intending to turn cybercriminals' tools against them, similar to the classic scenario from the movie.

The Winnti hacking group, sometimes referred to as APT41 is a notorious state-sponsored group known for conducting cyber espionage and financial fraud campaigns on behalf of the Chinese government. When the group appeared on the scene in 2012, it focused mostly on organizations involved in gaming, pharmaceuticals, and telecommunications, though it also attacked political organizations and government agencies. A modular backdoor made up of ELF modules, Glotto provides flexibility to craft tailored attacks to meet the attacker's specific needs. Several key components make up this malware: task_loader, which assesses the environment; init_task, which installs the backdoor; client_loader, which obfuscates the application; and client_task, which manages PHP backdoor operations and communicates with the command-and-control (C2) server. 

Through fileless execution, the malware runs entirely within PHP or PHP-FPM processes and injects malicious code into PHP files within popular frameworks such as ThinkPHP, Yii, Laravel, and Dedecms, thereby achieving stealth. Glutton maintains persistence in the system by modifying system files including those in the init[.]d network section and those in the Baota panel, allowing it to steal credentials and maintain a foothold on the system. 

By using a modular approach to code, Glutton can function without leaving traditional digital footprints behind, because all code execution is carried out within PHP, and there is a feature called PHP-FPM (FastCGI) that is used to optimize PHP process handling on web servers, which ensures that no files are left behind and that the backdoor remains undetected until it is discovered.  There are several PHP frameworks that Glutton can exploit to extract data or inject malicious code into widely used PHP frameworks, including Baota, ThinkPHP, Yii, and Laravel, when deployed with Glutton. 

It was in December 2023, when researchers traced the unusual activity to an IP address that was distributing a backdoor which targeted Unix-like operating systems, also commonly known as ELF-based malware, that researchers first discovered that Glutton was a backdoor. Further research revealed that the ELF-based malware also contained a malicious PHP file. Researchers uncovered a network of malicious PHP payloads connected to a network of malicious PHP payloads, revealing a complex attack infrastructure.

Researchers have indicated that the malware has a connection with Winnti’s historical activities, but they point out that there are several shortcomings when it comes to stealth and execution, which are uncharacteristically underwhelming for an APT group. Even though Winnti's behaviour normally does not include plaintext PHP samples and simplistic C2 communication protocols, the researchers believe that Winnti is the one responsible for the malware with some degree of confidence. The researchers also pointed out that Winnti "deliberately targeted systems within the cybercrime market" to spread the malware to as many targets as possible.

According to XLab researchers, Winnti "deliberately targeted systems within the cybercrime market" to help spread its virus as far as possible, but that was not the case.  Recent research has consistently shown that threat actors piggyback on each other’s infrastructure to exploit their vulnerabilities. In a report published by Microsoft, it was found that Turla, an APT group linked to the Russian government, has been running its operations using infrastructure previously set up by other APT groups or cybercriminals. 

In addition to being a fully functional backdoor, the PHP backdoor is also able to execute 22 unique commands, including switching C2 connections to UDP from TCP, launching a shell, downloading and uploading files, performing file and directory operations, and running arbitrary PHP code. Additionally, this framework provides the ability to periodically poll the C2 server for more PHP payloads, allowing for the retrieval and execution of more PHP payloads. According to XLab, these payloads are highly modular, capable of being executed independently by the payload module or sequentially by the task_loader module, providing a comprehensive framework to execute attacks, independently. 

There is no file payload left behind, ensuring no files or data are left behind after code execution, which ensures a completely stealthy footprint since all the code is executed within PHP or PHP-FPM (FastCGI) processes. In addition to this, HackBrowserData is also being used by cybercrime operators to steal sensitive information to inform future phishing or social engineering campaigns in the future. This tool can be used on any system used by a cybercriminal to steal sensitive information.