216.73.216.215

Playing Possum: What's the Backdoor Up To?

· Published 03/05/2024 10:47 · Modified 03/05/2024 11:49

Export JSON

Essential information

Published
03/05/2024 10:47
Modified
03/05/2024 11:49
Tags
2024-05-03 android backdoor wpeeper
Related entities
98 observables, 11 techniques (mitre), 1 malware

Description

This report analyzes the targeting systems. utilizes compromised WordPress sites as relay C2 servers to hide its true C2. It uses HTTPS requests with Session fields to differentiate command types. Commands are encrypted with AES and signed to prevent takeover. originated from repackaged apps in UPtodown Store. It was distributed through sites appflyer.co and dn.jnipatch.com. On April 22, suddenly ceased activity for unknown reasons.

External references