Black and White Domination: Glutton Trojan Lurks in Mainstream PHP Frameworks
Dec. 11, 2024, 7:36 p.m.
Tags
External References
Description
The XLab threat detection system uncovered an advanced PHP trojan named Glutton, which has been active for over a year without detection. Glutton targets both legitimate businesses and cybercriminal operations, infiltrating popular PHP frameworks like ThinkPHP and Laravel. It employs modular components for information theft, backdoor installation, and code injection. The malware can deploy both ELF-based Winnti backdoors and PHP-based backdoors, demonstrating cross-platform capabilities. Notably, Glutton also targets black market operations by infecting their systems, potentially aiming to steal from cybercriminals themselves. The attack framework operates without leaving files on disk, making detection challenging.
Date
Published: Dec. 11, 2024, 7:24 p.m.
Created: Dec. 11, 2024, 7:24 p.m.
Modified: Dec. 11, 2024, 7:36 p.m.
Indicators
777c1fda4008f122ff3aef9e80b5b5720c9f2dbc3d7e708277e2ccad1afd8cc5
172.247.127.210
156.251.163.120
v6.thinkphp1.com
v20.thinkphp1.com
Attack Patterns
Glutton
Winnti
T1553.004
T1505.003
T1021.001
T1588.002
T1037
T1571
T1059.004
T1070.004
T1005
T1082
T1105
T1083
T1205
T1027
T1078
Additional Informations
Information Technology
Finance
Government