Malware, Threat Intelligence

Novel Glutton backdoor deployed by Winnti hackers

Intrusions with the new sophisticated ELF-based PHP backdoor Glutton have been launched by Chinese state-backed hacking operation Winnti, also known as APT41, against U.S. and Chinese organizations, especially those in social security, web app development, and IT services, as well as other threat actors as part of an ongoing attack campaign that has been running for more than a year, reports BleepingComputer.

Aside from targeting the widely used PHP frameworks ThinkPHP, Laravel, Dedecms, and Yii in code injection attacks, Glutton has also been leveraged to exfiltrate data from the Chinese server management tool Baota, an analysis from QAX's XLab research team revealed. Numerous software packages in cybercrime forums have also been compromised with Glutton, which when executed facilitated the exfiltration of malicious actors' sensitive browser data, including credentials, download and browsing history, cookies, and credit cards. "When cybercriminals attempt to locally debug or modify backdoored business systems, Glutton's operators deploy HackBrowserData to steal high-value sensitive information from the cybercriminals themselves. This creates a recursive attack chain, leveraging the attackers' own activities against them," said XLabs researchers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds