Back

Playing Possum: What's the Backdoor Up To?

May 3, 2024, 11:49 a.m.

Tags

backdoor
android
2024-05-03
wpeeper

External References

https://blog.xlab.qianxin.com/

https://otx.alienvault.com/

Description

This report analyzes the Wpeeper backdoor targeting Android systems. Wpeeper utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. Wpeeper originated from repackaged apps in UPtodown Store. It was distributed through sites appflyer.co and dn.jnipatch.com. On April 22, Wpeeper suddenly ceased activity for unknown reasons.

Date

Published Created Modified
May 3, 2024, 10:47 a.m. May 3, 2024, 10:47 a.m. May 3, 2024, 11:49 a.m.

Indicators

e5af8e705e079d28f795cf490a66f74415699c9674833e2524eb746004d56a6b

www.yitaichi.com

www.francescocutrupi.com

www.elcomparadorseguros.com

www.cureoscitystaging.com

www.civitize.com

www.chasinglydie.com

https://wyattotero.com/AQVLLY/

https://www.yitaichi.com/K7ODU6/

https://www.francescocutrupi.com/WJYP89/

https://www.elcomparadorseguros.com/A5FDX7/

https://www.cureoscitystaging.com/YKUCU8/

https://www.chasinglydie.com/7V5QT0/

https://www.civitize.com/0SA67H/

https://vaticanojoyas.com/R5Q7G4/

https://wendyllc.com/QD8490/

https://web.rtekno.com/5XPOS2/

https://trashspringield.com/GYNH3A/

https://tartarcusp.com/BZRAWE/

https://toubainfo.com/G1ACF0/

https://stilesmcgraw.com/1WN2BH/

https://speedyrent-sa.com/AIOFB2/

https://socktopiashop.com/4WYZ7I/

https://snipsnack.com/T8Q2BN/

https://schatzrestaurant.com/J2WMA6/

https://scatsexo.com/NVZ4L0/

https://rastellimeeting.com/9Q4GOM/

https://qualitygoodsforconfectioners.com/3QLS47/

https://petintrip.com/QPNQSM/

https://ocalacommercialconstruction.com/WXFHF6/

https://nutrivital-in.com/7DB9BC/

https://nt-riccotech.com/Q4LQKN/

https://naroyaldiamonds.com/WZJ236/

https://mrscanology.com/8GVHT3/

https://masterlogisticsfzco.com/5CBSYC/

https://kiwisnowman.com/DC4O03/

https://hhfus.com/CUGCCO/

https://gadeonclub.com/Q9DVGH/

https://fontshown.com/4D69BN/

https://focusframephoto.com/1J10V9/

https://eamdomai.com/e?token=Tp5D1nRiu3rFOaCbT4PVcewqIhqbQspd8/3550AI/b1MMJttn+xr4oEFJiGx1bCZztteCi5dG1gYFlNTL0Fp8UaMxROCw4cr225ENjOCmT8oQUyMTjjuTo10fAuFsz9j

https://essentialelearning.com/EVSKOT/

https://dodgeagonize.com/KJSLOT/

https://dibplumber.com/LCN9UJ/

https://dn.jnipatch.com/downloads/latest/device/android

https://dermocuidado.com/8QSCZP/

https://coexisthedge.com/ZF57OA/

https://carshringaraligarh.com/TBHH4O/

https://carloadspry.com/SJI4C1/

https://beanblisscafe.com/MX1OAS/

https://barbeariadomarfim.com/BN2TTO/

https://avsecretarial.com/PYWDEL/

https://atba3li.com/Z99QQ6/

https://4devsolutions.com/4NUAK1/

https://appflyer.co/downloads/latest/device/android/

http://snipsnack.com/T8Q2BN/

Attack Patterns

Wpeeper

T1064

T1573

T1105

T1071

T1036

T1204

T1140

T1132

T1027

T1056

T1090