PHP backdoor looks to be work of Chinese-linked APT group
Cybersecurity researchers at a China-based cybersecurity company have uncovered an advanced PHP backdoor that suggests a new asset in the arsenal of Chinese-linked Advanced Persistent Threat group Winnti.
Researchers at QiAnXin’s XLab discovered the backdoor, which they titled Glutton, targeting China, the United States, Cambodia, Pakistan, and South Africa. After initially discovering the malware in April of this year, the company believes Glutton has been “undetected in the cybersecurity landscape for over a year.”
Glutton is built with a modular design, which allows it to operate without leaving traditional digital footprints. All code execution occurs within PHP or a feature that optimizes PHP process handling on web servers, known as PHP-FPM (FastCGI). This ensures no file payloads are left behind and the backdoor stays undetected.
When deployed, Glutton can be used to exfiltrate data or inject malicious code into widely used PHP frameworks, such as Baota, ThinkPHP, Yii, and Laravel.
The first clues related to Glutton surfaced in December 2023, when researchers traced unusual activity back to an IP address that was distributing a backdoor that targets Unix-like operating systems, more commonly known as ELF-based malware. Further research uncovered a malicious PHP file in the ELF-based malware. From there, researchers unraveled a network of related malicious PHP payloads, exposing an intricate attack infrastructure.
XLab researchers wrote that the malware shares a connection with the Winnti group’s historical activities. Yet, researchers pointed out that the malware has “several shortcomings in stealth and execution, which seem uncharacteristically subpar” for the APT group. Researchers pointed to including plaintext PHP samples and simplistic C2 communication protocols, which are normally outside Winnti’s behavior. That aside, the researchers believe “with moderate confidence” that Winnti is responsible for the malware.
While XLab researchers detailed a formidable list of countries being targeted, they said Winnti “deliberately targeted systems within the cybercrime market” to help spread the malware as far as possible.
“By poisoning operations, they aimed to turn the tools of cybercriminals against them — a classic ‘no honor among thieves’ scenario,” XLab researchers wrote.
Piggy-backing off other threat actors’ infrastructure has been a recurring theme in recently released research. Microsoft has published reports that found Turla, a Russian-linked APT group, has been using infrastructure initially set up by other APT groups or cybercriminals to run its own operations.
Winnti, also known as APT41, has long been linked to China. In 2019, Mandiant (then FireEye) published a report that suggested the group carried out operations on behalf of the Chinese government, while also freelancing in cybercrime. Researchers have found the group, among other operations, to be targeting online gambling firms in China, using Microsoft Exchange vulnerabilities to target hotels and governments around the world, or standing up front companies to mask the use of their RAT tools.
You can read QiAnXin’s research on the company’s blog.
