S0514 WellMess
WellMess is lightweight malware family with variants written in .NET and Golang that has been in use since at least 2018 by APT29.123
| Item | Value |
|---|---|
| ID | S0514 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 24 September 2020 |
| Last Modified | 22 March 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | WellMess can use HTTP and HTTPS in C2 communications.2413 |
| enterprise | T1071.004 | DNS | WellMess has the ability to use DNS tunneling for C2 communications.23 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | WellMess can execute PowerShell scripts received from C2.21 |
| enterprise | T1059.003 | Windows Command Shell | WellMess can execute command line scripts received from C2.2 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | WellMess has used Base64 encoding to uniquely identify communication to and from the C2.1 |
| enterprise | T1005 | Data from Local System | WellMess can send files from the victim machine to C2.21 |
| enterprise | T1001 | Data Obfuscation | - |
| enterprise | T1001.001 | Junk Data | WellMess can use junk data in the Base64 string for additional obfuscation.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | WellMess can decode and decrypt data received from C2.241 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | WellMess can encrypt HTTP POST data using RC6 and a dynamically generated AES key encrypted with a hard coded RSA public key.241 |
| enterprise | T1573.002 | Asymmetric Cryptography | WellMess can communicate to C2 with mutual TLS where client and server mutually check certificates.2413 |
| enterprise | T1105 | Ingress Tool Transfer | WellMess can write files to a compromised host.21 |
| enterprise | T1069 | Permission Groups Discovery | - |
| enterprise | T1069.002 | Domain Groups | WellMess can identify domain group membership for the current user.1 |
| enterprise | T1082 | System Information Discovery | WellMess can identify the computer name of a compromised host.21 |
| enterprise | T1016 | System Network Configuration Discovery | WellMess can identify the IP address and user domain on the target machine.21 |
| enterprise | T1033 | System Owner/User Discovery | WellMess can collect the username on the victim machine to send to C2.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0016 | APT29 | 24135 |
References
-
CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020. ↩↩↩↩↩
-
PWC. (2020, August 17). WellMess malware: analysis of its Command and Control (C2) server. Retrieved September 29, 2020. ↩↩↩↩↩
-
NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021. ↩