China’s QiAnXin has suddenly discovered a new sophisticated backdoor called Glutton, which appears to have been developed and deployed by APTs, and has remained undetected for over a year.
Leaving aside all the technical details of Glutton, which can be read in detail in the Chinese report if desired, the most important aspect of QiAnXin’s research is its attribution to the Winnti arsenal.
Even if it’s only with a moderate degree of certainty, I’d like to ask: are you serious?
On April 29, 2024, XLab’s threat perception system captured an abnormal activity: IP 172.247.127.210 was spreading the ELF version of the winnti backdoor Trojan. The appearance of APT-related alerts quickly attracted our attention. Further tracing found that the IP had spread a malicious PHP file detected by VirusTotal 0 on December 20, 2023. init_task.txtThis clue provided an important entry point for our subsequent investigation.
Taking init_task as a clue, we further discovered a series of related malicious PHP payloads, including task_loader, init_task_win32, client_loader, client_task, fetch_task, l0ader_shell, etc. These payloads are flexibly designed. They can be run alone or use task_loader as an entry point to gradually load other payloads to form a complete attack framework. All codes in the framework are executed in the PHP process or PHP-FPM (FastCGI) process to ensure the hidden effect of no landing payload . So far, an advanced PHP Trojan that has not been exposed by the security community has surfaced. Based on the characteristics of this Trojan that infects a large number of PHP files and implants l0ader_shell, we named it Glutton.
