Today > | 1 Medium vulnerabilities   -   You can now download lists of IOCs here!

Playing Possum: What's the Backdoor Up To?

May 3, 2024, 11:49 a.m.

Description

This report analyzes the Wpeeper backdoor targeting Android systems. Wpeeper utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. Wpeeper originated from repackaged apps in UPtodown Store. It was distributed through sites appflyer.co and dn.jnipatch.com. On April 22, Wpeeper suddenly ceased activity for unknown reasons.

Date

Published: May 3, 2024, 10:47 a.m.

Created: May 3, 2024, 10:47 a.m.

Modified: May 3, 2024, 11:49 a.m.

Indicators

e5af8e705e079d28f795cf490a66f74415699c9674833e2524eb746004d56a6b

www.yitaichi.com

www.francescocutrupi.com

www.elcomparadorseguros.com

www.cureoscitystaging.com

www.civitize.com

www.chasinglydie.com

https://wyattotero.com/AQVLLY/

https://www.yitaichi.com/K7ODU6/

https://www.francescocutrupi.com/WJYP89/

https://www.elcomparadorseguros.com/A5FDX7/

https://www.cureoscitystaging.com/YKUCU8/

https://www.chasinglydie.com/7V5QT0/

https://www.civitize.com/0SA67H/

https://vaticanojoyas.com/R5Q7G4/

https://wendyllc.com/QD8490/

https://web.rtekno.com/5XPOS2/

https://trashspringield.com/GYNH3A/

https://tartarcusp.com/BZRAWE/

https://toubainfo.com/G1ACF0/

https://stilesmcgraw.com/1WN2BH/

https://speedyrent-sa.com/AIOFB2/

https://socktopiashop.com/4WYZ7I/

https://snipsnack.com/T8Q2BN/

https://schatzrestaurant.com/J2WMA6/

https://scatsexo.com/NVZ4L0/

https://rastellimeeting.com/9Q4GOM/

https://qualitygoodsforconfectioners.com/3QLS47/

https://petintrip.com/QPNQSM/

https://ocalacommercialconstruction.com/WXFHF6/

https://nutrivital-in.com/7DB9BC/

https://nt-riccotech.com/Q4LQKN/

https://naroyaldiamonds.com/WZJ236/

https://mrscanology.com/8GVHT3/

https://masterlogisticsfzco.com/5CBSYC/

https://kiwisnowman.com/DC4O03/

https://hhfus.com/CUGCCO/

https://gadeonclub.com/Q9DVGH/

https://fontshown.com/4D69BN/

https://focusframephoto.com/1J10V9/

https://eamdomai.com/e?token=Tp5D1nRiu3rFOaCbT4PVcewqIhqbQspd8/3550AI/b1MMJttn+xr4oEFJiGx1bCZztteCi5dG1gYFlNTL0Fp8UaMxROCw4cr225ENjOCmT8oQUyMTjjuTo10fAuFsz9j

https://essentialelearning.com/EVSKOT/

https://dodgeagonize.com/KJSLOT/

https://dibplumber.com/LCN9UJ/

https://dn.jnipatch.com/downloads/latest/device/android

https://dermocuidado.com/8QSCZP/

https://coexisthedge.com/ZF57OA/

https://carshringaraligarh.com/TBHH4O/

https://carloadspry.com/SJI4C1/

https://beanblisscafe.com/MX1OAS/

https://barbeariadomarfim.com/BN2TTO/

https://avsecretarial.com/PYWDEL/

https://atba3li.com/Z99QQ6/

https://4devsolutions.com/4NUAK1/

https://appflyer.co/downloads/latest/device/android/

http://snipsnack.com/T8Q2BN/

web.rtekno.com

dn.jnipatch.com

wyattotero.com

wendyllc.com

vaticanojoyas.com

trashspringield.com

toubainfo.com

tartarcusp.com

stilesmcgraw.com

speedyrent-sa.com

socktopiashop.com

snipsnack.com

schatzrestaurant.com

rastellimeeting.com

scatsexo.com

qualitygoodsforconfectioners.com

ocalacommercialconstruction.com

petintrip.com

nutrivital-in.com

naroyaldiamonds.com

nt-riccotech.com

mrscanology.com

hhfus.com

masterlogisticsfzco.com

kiwisnowman.com

gadeonclub.com

fontshown.com

focusframephoto.com

essentialelearning.com

eamdomai.com

dodgeagonize.com

dibplumber.com

dermocuidado.com

coexisthedge.com

carshringaraligarh.com

carloadspry.com

beanblisscafe.com

barbeariadomarfim.com

avsecretarial.com

atba3li.com

appflyer.co

4devsolutions.com

Attack Patterns

Wpeeper

T1064

T1573

T1105

T1071

T1036

T1204

T1140

T1132

T1027

T1056

T1090