May 1, 2024 at 08:27AM
QAX XLab has uncovered the Wpeeper Android trojan that utilizes a multi-level command-and-control (C&C) infrastructure, with hacked WordPress sites acting as redirectors. The malware incorporates HTTPS communication, encryption, and an elliptic signature. Although its activity abruptly ceased after receiving a self-deletion command, it is likely to resurface as the repackaged APKs continue to be downloaded.
Key Takeaways from Meeting Notes:
1. Chinese cybersecurity firm QAX XLab has discovered a new Android trojan named Wpeeper.
2. The malware employs a multi-level command-and-control (C&C) infrastructure, using compromised WordPress sites to hide the true C&C server.
3. Wpeeper uses HTTPS for communication, encrypts commands, employs elliptic signature to prevent takeover, and uses the Session field to differentiate requests.
4. QAX XLab identified dozens of C&C domains associated with the threat, which was distributed via repackaged applications in the third-party Android application store UPtodown Store.
5. The malware has likely infected at least several thousand devices, and before its abrupt disappearance, it was seen using 45 C&C servers, most of which begin compromised WordPress sites acting as redirectors, forwarding bot requests, and hiding the real C&C.
6. The abrupt halt in Wpeeper’s activity suggests that the threat actor may be waiting for the downloaders to gain more popularity before pushing the trojan to user devices again.
7. QAX XLab noted that the professionalism of the creators is reflected in the encryption, signature verification, C2 Redirectors, and other mechanisms employed by Wpeeper.
8. The potential strategy behind Wpeeper’s current “silence” could be to enter the AI learning sample set of antivirus software as a trusted entity.