Engage Report: Glutton PHP Backdoor

  • Tactic: Initial Access (TA0001)

  • Technique: Exploit Public-Facing Application (T1190)

  • Procedure: Exploit vulnerabilities (ODAY and NDAY) in public-facing PHP applications to gain initial access to the server.

 

  • Tactic: Initial Access (TA0001)

  • Technique: Valid Accounts (T1078)

  • Procedure: Leverage weak password brute-forcing techniques to compromise valid accounts and gain unauthorized access.

 

  • Tactic: Initial Access (TA0001)

  • Technique: Supply Chain Compromise (T1195)

  • Procedure: Distribute pre-compromised business systems embedded with the 10ader_shell backdoor through cybercrime source code forums.

 

  • Tactic: Execution (TA0002)

  • Technique: Command and Scripting Interpreter: PHP (T1059.004)

  • Procedure: Execute malicious PHP code (task_loader, init_task, client_loader, etc.) within the web application environment to carry out various malicious activities.

 

  • Tactic: Persistence (TA0003)

  • Technique: Server Software Component: Web Shell (T1505.003)

  • Procedure: Inject web shells (10ader_shell) into PHP files to maintain persistence on the compromised server.

 

  • Tactic: Persistence (TA0003)

  • Technique: Create or Modify System Process: Launch Daemon (T1543.003)

  • Procedure: Install the Winnti backdoor as a daemon process by modifying the /etc/init.d/network file.

 

  • Tactic: Command and Control (TA0011)

  • Technique: Application Layer Protocol: Web Protocols (T1071.001): HTTP

  • Procedure: Establish an HTTP-based C2 channel for communication with the C2 server (v6.thinkphp1.com, v20.thinkphp1.com) and retrieve additional payloads.

 

  • Tactic: Command and Control (TA0011)

  • Technique: Application Layer Protocol: Web Protocols (T1071.001): UDP

  • Procedure: Utilize UDP for C2 communication with the PHP backdoor, enabling command execution and data exfiltration.

 

  • Tactic: Defense Evasion (TA0005)

  • Technique: Obfuscated Files or Information (T1027)

  • Procedure: Employ obfuscation techniques in later stages of the attack (e.g., obfuscating the 10ader function code in client_loader) to hinder analysis and detection.

  • Tactic: Collection (TA0009)

  • Technique: System Information Discovery (T1082)

  • Procedure: Collect system information, including OS version, PHP version, and sensitive data from Baota panels, to gain situational awareness and identify valuable targets.

  • Tactic: Exfiltration (TA0010)

  • Technique: Exfiltration Over C2 Channel (T1041)

  • Procedure: Exfiltrate collected data over HTTP and UDP C2 channels to attacker-controlled servers.

Subject: Engage Report: Glutton PHP Backdoor

Tactics: TA0009 Collection, TA0011 Command and Control, TA0005 Defense Evasion, TA0002 Execution, TA0010 Exfiltration, TA0001 Initial Access, TA0003 Persistence

Technique: T1071.001 Application Layer Protocol: Web Protocols, T1059.004 Command and Scripting Interpreter: Unix Shell, T1543.003 Create or Modify System Process: Windows Service, T1041 Exfiltration Over C2 Channel, T1190 Exploit Public-Facing Application, T1027 Obfuscated Files or Information, T1505.003 Server Software Component: Web Shell, T1195 Supply Chain Compromise, T1082 System Information Discovery, T1078 Valid Accounts

Procedure:

  • Tactic: Initial Access (TA0001)

  • Technique: Exploit Public-Facing Application (T1190)

  • Procedure: Exploit vulnerabilities (ODAY and NDAY) in public-facing PHP applications to gain initial access to the server.

 

  • Tactic: Initial Access (TA0001)

  • Technique: Valid Accounts (T1078)

  • Procedure: Leverage weak password brute-forcing techniques to compromise valid accounts and gain unauthorized access.

 

  • Tactic: Initial Access (TA0001)

  • Technique: Supply Chain Compromise (T1195)

  • Procedure: Distribute pre-compromised business systems embedded with the 10ader_shell backdoor through cybercrime source code forums.

 

  • Tactic: Execution (TA0002)

  • Technique: Command and Scripting Interpreter: PHP (T1059.004)

  • Procedure: Execute malicious PHP code (task_loader, init_task, client_loader, etc.) within the web application environment to carry out various malicious activities.

 

  • Tactic: Persistence (TA0003)

  • Technique: Server Software Component: Web Shell (T1505.003)

  • Procedure: Inject web shells (10ader_shell) into PHP files to maintain persistence on the compromised server.

 

  • Tactic: Persistence (TA0003)

  • Technique: Create or Modify System Process: Launch Daemon (T1543.003)

  • Procedure: Install the Winnti backdoor as a daemon process by modifying the /etc/init.d/network file.

 

  • Tactic: Command and Control (TA0011)

  • Technique: Application Layer Protocol: Web Protocols (T1071.001): HTTP

  • Procedure: Establish an HTTP-based C2 channel for communication with the C2 server (v6.thinkphp1.com, v20.thinkphp1.com) and retrieve additional payloads.

 

  • Tactic: Command and Control (TA0011)

  • Technique: Application Layer Protocol: Web Protocols (T1071.001): UDP

  • Procedure: Utilize UDP for C2 communication with the PHP backdoor, enabling command execution and data exfiltration.

 

  • Tactic: Defense Evasion (TA0005)

  • Technique: Obfuscated Files or Information (T1027)

  • Procedure: Employ obfuscation techniques in later stages of the attack (e.g., obfuscating the 10ader function code in client_loader) to hinder analysis and detection.

  • Tactic: Collection (TA0009)

  • Technique: System Information Discovery (T1082)

  • Procedure: Collect system information, including OS version, PHP version, and sensitive data from Baota panels, to gain situational awareness and identify valuable targets.

  • Tactic: Exfiltration (TA0010)

  • Technique: Exfiltration Over C2 Channel (T1041)

  • Procedure: Exfiltrate collected data over HTTP and UDP C2 channels to attacker-controlled servers.

Vulnerability: EAV0001 When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time., EAV0006 When adversaries collect targeting information from open or closed data sources, they are vulnerable to being influenced by manipulated or misleading data.

Engagement Opportunity:

  • Develop and deploy detection rules that specifically target the unique characteristics of Glutton, such as:
    • Repeating hexadecimal patterns used for padding in resources.
    • Byte sequences used to mark the start of position-independent code (PIC).
    • Network signatures for unencrypted C2 communication and HTTP-based downloader traffic.
  • Implement enhanced system monitoring to detect suspicious activities, such as:
    • PHP files executing unexpected commands or processes.
    • Anomalous network connections from PHP or PHP-FPM processes.
    • Modifications to critical system files like /etc/init.d/network.

Threat Actor: Winnti Group (with moderate confidence)

Threat Objective:

  • Data exfiltration, including system information, sensitive Baota panel data (credentials, management interface details)
  • Backdoor installation (ELF-based Winnti backdoor, PHP-based backdoors)
  • Code injection targeting popular PHP frameworks (e.g., Baota, ThinkPHP, Yii, Laravel)
  • Targeting and exploiting the cybercrime ecosystem itself.

Deception Opportunity:

  • Create a honeypot environment mimicking a web server hosting popular PHP frameworks.
  • Seed the honeypot with decoy files and credentials.
  • Deploy a fake Baota panel with fabricated sensitive information.
  • Mimic vulnerable software and configurations to attract exploitation attempts.
  • Monitor the honeypot for any Glutton-related activity and gather intelligence on TTPs.

Sensor Data Placement: Application

Observable Level: Core to Adversary-Brought Tool

Scoring Rationale:

The scoring reflects the attacker’s use of custom tools and techniques, combined with the exploitation of legitimate tools and services. The attack chain involves a combination of common and less common techniques.

Observable Level:

  • Ephemeral Values: Not applicable
  • Core to Adversary-Brought Tool:
    • Glutton components (task_loader, init_task, client_loader, etc.)
    • Winnti backdoor and PHP backdoor
    • 10ader_shell code
    • C2 domains and IP addresses
  • Core to Pre-Existing Tool: PHP, PHP-FPM
  • Core to Some Implementations of (Sub-)Technique:
    • Infection of specific PHP frameworks
    • Use of /etc/init.d/network for persistence
  • Core to Sub-Technique or Technique: Not applicable

Link to Report: https://blog.xlab.qianxin.com/glutton_stealthily_targets_mainstream_php_frameworks-en/

Link to Report II.:

Additional Comments:

  • Glutton’s fileless execution and focus on PHP-based infections pose challenges for traditional detection methods.
  • The targeting of cybercriminals adds a unique dimension to this threat, potentially hindering incident reporting and analysis.
  • The campaign’s long-term presence highlights the importance of proactive threat hunting and continuous monitoring.

Possible elements:

MSG (Pseudocode): 

# Malicious Sub-Graph Standard

# Node Format:
# [Node ID]: [Tactic] – [Technique] – [Procedure] ([Observable Level])

# Edge Format:
# [Source Node ID] –> [Destination Node ID] ([Exploited Vulnerability])

# Glutton Attack Graph

[1]: Initial Access (TA0001) – Exploit Public-Facing Application (T1190) – Exploit vulnerabilities in public-facing PHP applications (Core to Some Implementations of (Sub-)Technique)
[2]: Initial Access (TA0001) – Valid Accounts (T1078) – Use valid accounts obtained through weak password brute-forcing (Core to Some Implementations of (Sub-)Technique)
[3]: Initial Access (TA0001) – Supply Chain Compromise (T1195) – Distribute pre-compromised business systems with embedded backdoors (Core to Some Implementations of (Sub-)Technique)
[4]: Execution (TA0002) – Command and Scripting Interpreter: PHP (T1059.004) – Execute malicious PHP code within web applications (Core to Pre-Existing Tool)
[5]: Persistence (TA0003) – Server Software Component: Web Shell (T1505.003) – Inject web shells (`10ader_shell`) into PHP files for persistence (Core to Adversary-Brought Tool)
[6]: Persistence (TA0003) – Create or Modify System Process: Launch Daemon (T1543.003) – Install Winnti backdoor as a daemon process via `/etc/init.d/network` modification (Core to Some Implementations of (Sub-)Technique)
[7]: Command and Control (TA0011) – Application Layer Protocol: Web Protocols (T1071.001): HTTP – Establish HTTP-based C2 channel for communication and payload retrieval (Core to Adversary-Brought Tool)
[8]: Command and Control (TA0011) – Application Layer Protocol: Web Protocols (T1071.001): UDP – Utilize UDP for C2 communication with the PHP backdoor (Core to Adversary-Brought Tool)
[9]: Defense Evasion (TA0005) – Obfuscated Files or Information (T1027) – Use obfuscated PHP code in later stages of the attack (Core to Adversary-Brought Tool)
[10]: Collection (TA0009) – System Information Discovery (T1082) – Collect system information, including OS version, PHP version, and sensitive data from Baota panels (Core to Pre-Existing Tool)
[11]: Exfiltration (TA0010) – Exfiltration Over C2 Channel (T1041) – Exfiltrate collected data over HTTP and UDP C2 channels (Core to Sub-Technique or Technique)

1 –> 4 (Lack of Tool-Based Anomaly Detection (EAV0006))
2 –> 4 (Lack of System Monitoring (EAV0001))
3 –> 4 (Lack of Supply Chain Security (EAV0005))
4 –> 5 (Lack of System Monitoring (EAV0001))
4 –> 6 (Lack of System Monitoring (EAV0001))
4 –> 7 (Lack of Network Monitoring (EAV0002))
4 –> 8 (Lack of Network Monitoring (EAV0002))
7 –> 9 (Lack of Tool-Based Anomaly Detection (EAV0006))
4 –> 10 (Lack of System Monitoring (EAV0001))
7 –> 11 (Lack of Network Monitoring (EAV0002))
8 –> 11 (Lack of Network Monitoring (EAV0002))

# Pseudocode Standard

# Function Format:
# function [Tactic]_[Technique]([Input]):
# [Procedure]
# return [Output]

# Glutton Pseudocode

function Initial_Access_Exploit_Public-Facing_Application(target_server):
# Exploit vulnerabilities in public-facing PHP applications on target_server
return initial_access

function Initial_Access_Valid_Accounts(target_server):
# Use brute-force to compromise valid accounts on target_server
return initial_access

function Initial_Access_Supply_Chain_Compromise(target_users):
# Distribute pre-compromised business systems to target_users
return initial_access

function Execution_Command_and_Scripting_Interpreter(initial_access):
# Execute malicious PHP code within the compromised web application
return persistence_payload, C2_communication_module

function Persistence_Web_Shell(persistence_payload):
# Inject `10ader_shell` into PHP files for persistence
return persistent_access

function Persistence_Launch_Daemon(persistence_payload):
# Install Winnti backdoor as a daemon process via `/etc/init.d/network`
return persistent_access

function Command_and_Control_Web_Protocols_HTTP(C2_communication_module):
# Establish HTTP-based C2 communication channel
# Download additional payloads
return command_execution_module, exfiltration_module

function Command_and_Control_Web_Protocols_UDP(C2_communication_module):
# Establish UDP-based C2 communication channel
return command_execution_module, exfiltration_module

function Defense_Evasion_Obfuscated_Files_or_Information(command_execution_module):
# Employ obfuscation techniques to evade detection
return obfuscated_code

function Collection_System_Information_Discovery(command_execution_module):
# Collect system information and sensitive data
return collected_data

function Exfiltration_Exfiltration_Over_C2_Channel(exfiltration_module, collected_data):
# Exfiltrate collected data over HTTP and UDP C2 channels
return success

Leave a Reply