BUBBLEWRAP is a full-featured, second-stage backdoor used by the admin@338 group. It is set to run when the system boots and includes functionality to check, upload, and register plug-ins that can further enhance its capabilities. [1]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
BUBBLEWRAP can communicate using HTTP or HTTPS.[1] |
Enterprise | T1095 | Non-Application Layer Protocol |
BUBBLEWRAP can communicate using SOCKS.[1] |
|
Enterprise | T1082 | System Information Discovery |
BUBBLEWRAP collects system information, including the operating system version and hostname.[1] |