1. Home
  2. Software
  3. WellMess

WellMess

WellMess is lightweight malware family with variants written in .NET and Golang that has been in use since at least 2018 by APT29.[1][2][3]

ID: S0514
Type: MALWARE
Platforms: Windows
Contributors: Daniyal Naeem, BT Security
Version: 1.0
Created: 24 September 2020
Last Modified: 22 March 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1005 从本地系统获取数据

WellMess can send files from the victim machine to C2.[2][1]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

WellMess can encrypt HTTP POST data using RC6 and a dynamically generated AES key encrypted with a hard coded RSA public key.[2][4][1]
.002 加密通道: Asymmetric Cryptography

WellMess can communicate to C2 with mutual TLS where client and server mutually check certificates.[2][4][1][3]
Enterprise T1140 反混淆/解码文件或信息

WellMess can decode and decrypt data received from C2.[2][4][1]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

WellMess can execute PowerShell scripts received from C2.[2][1]
.003 命令与脚本解释器: Windows Command Shell

WellMess can execute command line scripts received from C2.[2]
Enterprise T1071 .001 应用层协议: Web Protocols

WellMess can use HTTP and HTTPS in C2 communications.[2][4][1][3]
.004 应用层协议: DNS

WellMess has the ability to use DNS tunneling for C2 communications.[2][3]
Enterprise T1001 .001 数据混淆: Junk Data

WellMess can use junk data in the Base64 string for additional obfuscation.[1]
Enterprise T1132 .001 数据编码: Standard Encoding

WellMess has used Base64 encoding to uniquely identify communication to and from the C2.[1]
Enterprise T1069 .002 权限组发现: Domain Groups

WellMess can identify domain group membership for the current user.[1]
Enterprise T1082 系统信息发现

WellMess can identify the computer name of a compromised host.[2][1]
Enterprise T1033 系统所有者/用户发现

WellMess can collect the username on the victim machine to send to C2.[1]
Enterprise T1016 系统网络配置发现

WellMess can identify the IP address and user domain on the target machine.[2][1]
Enterprise T1105 输入工具传输

WellMess can write files to a compromised host.[2][1]

Groups That Use This Software

ID Name References
G0016 APT29

[2][4][1][3][5]

References

  1. CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020.
  2. PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.
  3. National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.
  1. PWC. (2020, August 17). WellMess malware: analysis of its Command and Control (C2) server. Retrieved September 29, 2020.
  2. NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021.