Playing Possum: What's the Backdoor Up To?
May 3, 2024, 11:49 a.m.
Description
This report analyzes the Wpeeper backdoor targeting Android systems. Wpeeper utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. Wpeeper originated from repackaged apps in UPtodown Store. It was distributed through sites appflyer.co and dn.jnipatch.com. On April 22, Wpeeper suddenly ceased activity for unknown reasons.
Tags
Date
- Created: May 3, 2024, 10:47 a.m.
- Published: May 3, 2024, 10:47 a.m.
- Modified: May 3, 2024, 11:49 a.m.
Indicators
- e5af8e705e079d28f795cf490a66f74415699c9674833e2524eb746004d56a6b
- www.yitaichi.com
- www.francescocutrupi.com
- www.elcomparadorseguros.com
- www.cureoscitystaging.com
- www.civitize.com
- www.chasinglydie.com
- https://wyattotero.com/AQVLLY/
- https://www.yitaichi.com/K7ODU6/
- https://www.francescocutrupi.com/WJYP89/
- https://www.elcomparadorseguros.com/A5FDX7/
- https://www.cureoscitystaging.com/YKUCU8/
- https://www.chasinglydie.com/7V5QT0/
- https://www.civitize.com/0SA67H/
- https://vaticanojoyas.com/R5Q7G4/
- https://wendyllc.com/QD8490/
- https://web.rtekno.com/5XPOS2/
- https://trashspringield.com/GYNH3A/
- https://tartarcusp.com/BZRAWE/
- https://toubainfo.com/G1ACF0/
- https://stilesmcgraw.com/1WN2BH/
- https://speedyrent-sa.com/AIOFB2/
- https://socktopiashop.com/4WYZ7I/
- https://snipsnack.com/T8Q2BN/
- https://schatzrestaurant.com/J2WMA6/
- https://scatsexo.com/NVZ4L0/
- https://rastellimeeting.com/9Q4GOM/
- https://qualitygoodsforconfectioners.com/3QLS47/
- https://petintrip.com/QPNQSM/
- https://ocalacommercialconstruction.com/WXFHF6/
- https://nutrivital-in.com/7DB9BC/
- https://nt-riccotech.com/Q4LQKN/
- https://naroyaldiamonds.com/WZJ236/
- https://mrscanology.com/8GVHT3/
- https://masterlogisticsfzco.com/5CBSYC/
- https://kiwisnowman.com/DC4O03/
- https://hhfus.com/CUGCCO/
- https://gadeonclub.com/Q9DVGH/
- https://fontshown.com/4D69BN/
- https://focusframephoto.com/1J10V9/
- https://eamdomai.com/e?token=Tp5D1nRiu3rFOaCbT4PVcewqIhqbQspd8/3550AI/b1MMJttn+xr4oEFJiGx1bCZztteCi5dG1gYFlNTL0Fp8UaMxROCw4cr225ENjOCmT8oQUyMTjjuTo10fAuFsz9j
- https://essentialelearning.com/EVSKOT/
- https://dodgeagonize.com/KJSLOT/
- https://dibplumber.com/LCN9UJ/
- https://dn.jnipatch.com/downloads/latest/device/android
- https://dermocuidado.com/8QSCZP/
- https://coexisthedge.com/ZF57OA/
- https://carshringaraligarh.com/TBHH4O/
- https://carloadspry.com/SJI4C1/
- https://beanblisscafe.com/MX1OAS/
- https://barbeariadomarfim.com/BN2TTO/
- https://avsecretarial.com/PYWDEL/
- https://atba3li.com/Z99QQ6/
- https://4devsolutions.com/4NUAK1/
- https://appflyer.co/downloads/latest/device/android/
- http://snipsnack.com/T8Q2BN/
- web.rtekno.com
- dn.jnipatch.com
- wyattotero.com
- wendyllc.com
- vaticanojoyas.com
- trashspringield.com
- toubainfo.com
- tartarcusp.com
- stilesmcgraw.com
- speedyrent-sa.com
- socktopiashop.com
- snipsnack.com
- schatzrestaurant.com
- rastellimeeting.com
- scatsexo.com
- qualitygoodsforconfectioners.com
- ocalacommercialconstruction.com
- petintrip.com
- nutrivital-in.com
- naroyaldiamonds.com
- nt-riccotech.com
- mrscanology.com
- hhfus.com
- masterlogisticsfzco.com
- kiwisnowman.com
- gadeonclub.com
- fontshown.com
- focusframephoto.com
- essentialelearning.com
- eamdomai.com
- dodgeagonize.com
- dibplumber.com
- dermocuidado.com
- coexisthedge.com
- carshringaraligarh.com
- carloadspry.com
- beanblisscafe.com
- barbeariadomarfim.com
- avsecretarial.com
- atba3li.com
- appflyer.co
- 4devsolutions.com
Attack Patterns
- Wpeeper
- T1064
- T1573
- T1105
- T1071
- T1036
- T1204
- T1140
- T1132
- T1027
- T1056
- T1090