The attacker may have used the malware to check for antivirus-related processes running in the system.
Tag: Backdoor
Engage Report: Glutton PHP Backdoor
-
Tactic: Initial Access (TA0001)
-
Technique: Exploit Public-Facing Application (T1190)
-
Procedure: Exploit vulnerabilities (ODAY and NDAY) in public-facing PHP applications to gain initial access to the server.
-
Tactic: Initial Access (TA0001)
-
Technique: Valid Accounts (T1078)
-
Procedure: Leverage weak password brute-forcing techniques to compromise valid accounts and gain unauthorized access.
-
Tactic: Initial Access (TA0001)
-
Technique: Supply Chain Compromise (T1195)
-
Procedure: Distribute pre-compromised business systems embedded with the
10ader_shellbackdoor through cybercrime source code forums.
-
Tactic: Execution (TA0002)
-
Technique: Command and Scripting Interpreter: PHP (T1059.004)
-
Procedure: Execute malicious PHP code (
task_loader,init_task,client_loader, etc.) within the web application environment to carry out various malicious activities.
-
Tactic: Persistence (TA0003)
-
Technique: Server Software Component: Web Shell (T1505.003)
-
Procedure: Inject web shells (
10ader_shell) into PHP files to maintain persistence on the compromised server.
-
Tactic: Persistence (TA0003)
-
Technique: Create or Modify System Process: Launch Daemon (T1543.003)
-
Procedure: Install the Winnti backdoor as a daemon process by modifying the
/etc/init.d/networkfile.
-
Tactic: Command and Control (TA0011)
-
Technique: Application Layer Protocol: Web Protocols (T1071.001): HTTP
-
Procedure: Establish an HTTP-based C2 channel for communication with the C2 server (
v6.thinkphp1.com,v20.thinkphp1.com) and retrieve additional payloads.
-
Tactic: Command and Control (TA0011)
-
Technique: Application Layer Protocol: Web Protocols (T1071.001): UDP
-
Procedure: Utilize UDP for C2 communication with the PHP backdoor, enabling command execution and data exfiltration.
-
Tactic: Defense Evasion (TA0005)
-
Technique: Obfuscated Files or Information (T1027)
-
Procedure: Employ obfuscation techniques in later stages of the attack (e.g., obfuscating the
10aderfunction code inclient_loader) to hinder analysis and detection. -
Tactic: Collection (TA0009)
-
Technique: System Information Discovery (T1082)
-
Procedure: Collect system information, including OS version, PHP version, and sensitive data from Baota panels, to gain situational awareness and identify valuable targets.
-
Tactic: Exfiltration (TA0010)
-
Technique: Exfiltration Over C2 Channel (T1041)
-
Procedure: Exfiltrate collected data over HTTP and UDP C2 channels to attacker-controlled servers.
Hunting Pygmy Goat communication
The attacker is using a malicious scheduled task to connect back to a C2 server.
Pygmy goat Backdoor
Pygmy Goat uses the LD_PRELOAD environment variable to inject itself into the sshd process, ensuring it’s loaded and executed whenever the SSH daemon starts.