GSocket Gambling Scavenger – How Hackers Use PHP Backdoors and GSocket to Facilitate Illegal Gambling in Indonesia

Since 1974, gambling has been officially illegal in Indonesia. However, the digital revolution of the 2000s introduced a new challenge: the rapid growth of online gambling platforms. This technological shift has created enforcement gaps, compelling the Indonesian government to intensify its efforts to combat illegal online gambling. Recent government crackdowns have sought to disrupt the operators and platforms behind these activities, as authorities emphasize the legal, social, and moral implications of gambling in the predominantly Muslim nation. 

Against this backdrop, Imperva Threat Research has detected a surge in suspicious activity targeting PHP-based web applications. Over the past two months, a significant volume of attacks from Python-based bots has been observed, suggesting a coordinated effort to exploit thousands of web apps. These attacks appear tied to the proliferation of gambling-related sites, potentially as a response to the heightened government scrutiny [1][2]. While these bots have been seen targeting web servers across various regions, a notable focus on Indonesian sites has emerged, aligning with the recent enforcement efforts. 

Malicious Command – GSocket Installation 

Since the start of the campaign, Imperva has observed millions of requests from a python-based client, with similar HTTP and TLS fingerprint profiles. The requests contain a variety of parameter names and values; however, each contains the following one-liner command:

The command is one provided by HackersChoice to install the well-known networking toolkit Global Socket or GSocket. The command executes an install routine which will enable connections from workstations on a different private network, regardless of NAT or firewalls. If no parameters are given, the toolkit will be installed on the host and generate a random key which will enable any internetconnected host to connect to it given the correct utility (gs-netcat). 

What is GSocket? 

GSocket, as described by HackersChoice, is a tool that allows two users behind NAT or firewalls to establish secure TCP connections. It works by analyzing a program and replacing its IP layer with a GSocket layer, enabling access from anywhere in the world. Connections to hostnames ending in *.gsocket are automatically redirected via the Global Sockets Relay Network (GSRN). 

The GSRN is a decentralized, volunteer-run network designed for efficient socket-based communication, prioritizing performance over anonymity. Unlike Tor, which focuses on anonymous browsing, GSRN supports seamless communication while allowing users to enhance anonymity through additional measures. 

Additionally, Gs-netcat, a reimplementation of the popular netcat utility, leverages GSRN to establish connections without requiring open firewall ports or accepting incoming TCP connections. 

Webshell Scavenger  

In the campaign observed by Imperva Threat Research, attackers attempted to deploy GSocket by interacting with pre-existing webshells on compromised servers. Their strategy involved sending a high volume of requests to common webshell paths on PHP servers, using known webshell parameters. This approach increases the likelihood of locating an active webshell to execute commands and install the GSocket toolkit. 

Below are some of the most frequently targeted paths identified during the campaign:

Moodle LMS Backdoors 

As we researched this campaign, we noticed that many the attacks were targeting Moodle instances with paths such as “/local/moodle_webshell/webshell.php”. Moodle —a well-known Learning Management System LMS platform— has built in PHP, which allows easy management of learning resources and convenient registration and administration of online students. With this information, we focused our efforts on investigating the Moodle attack surface and uncovered many examples of backdoored Moodle instances with traces of GSocket infection. 

Among the artifacts we observed were additions to the crontab and bashrc on certain hosts which would maintain persistence using the GSocket networking tool:

Base64-decoding of the scripts in bashrc and crontab reveals a command which will re-install the GSocket tool from a binary named “defunct” on the host, with a predefined key stored in a file named defunct.dat. 

This persistence mechanism allows the attacker to maintain access to the host even after removal of the webshell backdoor. 

Botnet Campaign Objectives – Illegal Online Gambling 

Further investigation of identified backdoored Moodle instances revealed one of the objectives behind the recent GSocket campaign. Within the web-accessible directories of the backdoored hosts we observed irregularly-named directories containing files called“index.php”, all created within the past month. We believe that the installation of GSocket allows for the mass and co-ordinated delivery of these files to acquired target servers, as there was evidence of GSocket installations on the affected servers. 

Upon inspection, these PHP files revealed HTML landing pages with Indonesian text describing various online gambling services: 

Translated, the page description reads “888SLOT is the most trusted online lottery bookie agent on the online lottery site. Their admin also offers the experience of playing lottery with very cheap bets and minimal deposits. This also makes them the top choice for those who want to win millions of rupiah with small capital” which, when rendered, revealed the following webpage: 

At the top of each PHP file was PHP code designed to allow only search bots to access the page, but regular site visitors would be redirected to another domain: 

The objective behind this is to target users searching for known gambling services, then redirect them to another domain. During our investigation we found that the redirection eventually led to “hxxps://pktoto[.]cc”, another known Indonesian gambling site. 

Using a basic search engine to look up common Indonesian gambling terms highlights the scale of exploitation. Nearly all the indexed sites are unrelated to Indonesian gambling, which enables threat actors to redirect traffic seamlessly across different domains. When government crackdowns take one gambling site offline, another can quickly take its place, ensuring minimal disruption to their operations. 

Conclusion and Takeaways 

The backdoor campaign highlights the persistent threat posed by attackers leveraging compromised web servers to facilitate illegal operations, such as promoting gambling platforms. Attackers’ use of GSocket, and tools like it, demonstrates the evolving techniques cybercriminals deploy to maintain operations despite governmental crackdowns. 

Key Actions: 

•  Check for Backdoors: Website administrators should audit their PHP servers for potential backdoors, focusing on common webshell paths. Proactively monitoring and removing unauthorized files is essential to maintaining a secure environment. 
•  Implement Mitigations: Imperva has already mitigated over 3 million requests related to this campaign, demonstrating the effectiveness of advanced security solutions in combating these threats. Leveraging tools like Imperva can help detect and block malicious activity, analyze traffic patterns, and secure your infrastructure against ongoing campaigns. 

 Staying vigilant, regularly updating software, and using robust security measures will significantly reduce the risk of falling victim to campaigns like this. As attackers continue to innovate, adopting a proactive security posture is crucial for defending against emerging threats.