Home Security Android Malware Wpeeper Uses Compromised WordPress Sites to Hide C2 Servers

Android Malware Wpeeper Uses Compromised WordPress Sites to Hide C2 Servers

by


May 01, 2024NewsroomMalware / Android

Cybersecurity researchers have discovered a previously undocumented malware targeting Android devices that uses compromised WordPress sites as relays for its actual command-and-control (C2) servers for detection evasion.

The malware, codenamed Wpeeper, is an ELF binary that leverages the HTTPS protocol to secure its C2 communications.

“Wpeeper is a typical backdoor Trojan for Android systems, supporting functions such as collecting sensitive device information, managing files and directories, uploading and downloading, and executing commands,” researchers from the QiAnXin XLab team said.

The ELF binary is embedded within a repackaged application that purports to be the UPtodown App Store app for Android (package name “com.uptodown”), with the APK file acting as a delivery vehicle for the backdoor in a manner that evades detection.

Cybersecurity

The Chinese cybersecurity firm said it discovered the malware after it detected a Wpeeper artifact with zero detection on the VirusTotal platform on April 18, 2024. The campaign is said to have come to an abrupt end four days later.

The use of the Uptodown App Store app for the campaign indicates an attempt to pass off a legitimate third-party app marketplace and trick unsuspecting users into installing it. According to stats on Android-apk.org, the trojanized version of the app (5.92) has been downloaded 2,609 times to date.

Android Malware

Wpeeper relies on a multi-tier C2 architecture that uses infected WordPress sites as an intermediary to obscure its true C2 servers. As many as 45 C2 servers have been identified as part of the infrastructure, nine of which are hard-coded into the samples and are used to update the C2 list on the fly.

“These [hard-coded servers] are not C2s but C2 redirectors — their role is to forward the bot’s requests to the real C2, aimed at shielding the actual C2 from detection,” the researchers said.

Cybersecurity

This has also raised the possibility that some of the hard-coded servers are directly under their control, since there is a risk of losing access to the botnet should WordPress site administrators get wind of the compromise and take steps to correct it.

The commands retrieved from the C2 server allow the malware to collect device and file information, list of installed apps, update the C2 server, download and execute additional payloads from the C2 server or an arbitrary URL, and self-delete itself.

The exact goals and scale of the campaign are presently unknown, although it’s suspected that the sneaky method may have been used to increase the installation numbers and then reveal the malware’s capabilities.

To mitigate the risks posed by such malware, it’s always advised to install apps only from trusted sources, and scrutinize app reviews and permissions prior to downloading them.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex