Cybercrime,
Fraud Management & Cybercrime
Malware Exploits Cybercrime Ecosystem for Profit
Recent revelations highlight how hackers are employing a variant of a backdoor traditionally associated with a Chinese threat actor suspected to have connections to the Beijing government. The specific malware variant, labeled “Glutton,” is targeting the cybercriminal underground.
According to researchers at QiAnXin XLab, a new PHP-based backdoor exhibits significant similarities to a backdoor exclusively utilized by the Winnti Group, a known actor in the cyber threat landscape. However, the researchers have stated that they cannot confirm attribution to this group with absolute certainty, citing moderate confidence in its potential sources.
The researchers pointed out several technical shortcomings in Glutton’s design, which notably deviate from the typical characteristics exhibited by Winnti malware. These drawbacks include unencrypted communications with the command-and-control server and source code in plaintext, raising questions about the operational security of this malware.
Winnti is a long-standing player in the cyber threat arena, active since 2010, and its operations are thought to intersect with other tracked groups such as Axiom, APT17, and Ke3chang. The U.S. Department of Justice characterized Winnti as APT41, Wicked Panda, and Wicked Spider, indicting multiple Chinese nationals for leveraging Winnti malware in attacks against U.S.-based companies and pro-democracy figures in Hong Kong.
The Glutton backdoor is particularly interesting due to its focus on systems utilized by cybercriminals, predominantly operating within China. One notorious sample linked to Glutton was discovered associated with a click-farming platform, while another was found embedded within a downloaded archive from the Timibbs online cybercrime marketplace, where it was offered for sale for $980.
Researchers speculate that operators of Glutton may have infiltrated the forum or could be collaborating with or purchasing from it, suggesting a complex relationship within the cybercrime ecosystem. Regardless of the specifics, it is evident that the malware’s creators are adept at exploiting existing tools within the cybercriminal landscape, turning malicious actors into unsuspecting participants in their own exploitation.
The capabilities of the Glutton malware extend to extracting sensitive system data and injecting malicious code into widely-used PHP frameworks, such as Baota, ThinkPHP, Yii, and Laravel. Furthermore, Glutton operates stealthily, leaving no files on infected systems and enabling attackers to maintain a low profile during their operations.
Overall, the Glutton malware underscores serious cybersecurity risks that threaten various sectors, particularly targeting IT services and business operations. The exploitation of critical system information, including operating system and PHP version details, represents a significant threat to organizational security. From a tactical perspective, the techniques employed may align with MITRE ATT&CK frameworks that encompass areas such as initial access, persistence, and data exfiltration, inviting organizations to bolster their defenses accordingly.
