Hackers have recently been found using a backdoor variant linked to a Chinese threat actor group to target the cybercriminal underground for financial gain. This malicious activity was uncovered by researchers at QiAnXin XLab, who identified a PHP-based backdoor named “Glutton” that shares striking similarities with a backdoor exclusively used by the Winnti Group, a threat actor group suspected of having ties to Beijing.
While the researchers stopped short of definitively attributing Glutton to the Winnti Group, they did identify several key similarities and connections between the two. The researchers noted that Glutton exhibited subpar stealth and execution capabilities, such as a lack of encrypted communications with the command and control server and the presence of plaintext source code. These shortcomings raised doubts about the true identity of the operators behind Glutton and their level of expertise compared to the Winnti Group.
The Winnti Group, also known as APT41, Wicked Panda, and Wicked Spider among other names, has been active for over a decade, engaging in various cyber espionage and malicious activities targeting organizations globally. In 2020, the U.S. Department of Justice indicted five Chinese nationals for using Winnti malware in intrusions against U.S. companies and pro-democracy figures in Hong Kong. The group’s extensive history and capabilities make it a formidable force in the cyber threat landscape.
What sets the Glutton malware apart is its specific targeting of systems used by cybercriminals, particularly those based in China. Researchers found instances of Glutton embedded in archives downloaded from cybercrime online markets, where it was available for purchase. The malware was also detected on a fraudulent click-farming platform, indicating a wide range of illicit activities associated with its deployment.
The modular structure of Glutton allows it to perform various malicious actions, including data exfiltration, backdoor deployment, and code injection into popular PHP frameworks. By infecting PHP files and manipulating system data, Glutton operators can extract sensitive information and compromise critical systems. Moreover, the malware’s ability to operate stealthily within PHP processes makes it difficult to detect and remove, prolonging its impact on targeted systems.
Victims of the Glutton malware come from diverse sectors, with a focus on IT services and business operations. The malware’s capability to extract system information and credentials poses a significant risk to organizations, potentially leading to data breaches and financial losses. The exploitation of the cybercrime ecosystem by Glutton authors highlights the evolving tactics used by threat actors to maximize their profits and undermine cybersecurity measures.
In conclusion, the discovery of the Glutton malware underscores the complex and adaptive nature of cyber threats in today’s digital landscape. As cybercriminals and threat actors continue to innovate and collaborate, organizations must enhance their security practices and remain vigilant against emerging malware strains like Glutton. By staying informed and proactive, businesses can better protect themselves against financial and reputational damage caused by malicious cyber activities.