Skip to content

S0514 WellMess

WellMess is lightweight malware family with variants written in .NET and Golang that has been in use since at least 2018 by APT29.123

Item Value
ID S0514
Associated Names
Version 1.0
Created 24 September 2020
Last Modified 22 March 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols WellMess can use HTTP and HTTPS in C2 communications.2413
enterprise T1071.004 DNS WellMess has the ability to use DNS tunneling for C2 communications.23
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell WellMess can execute PowerShell scripts received from C2.21
enterprise T1059.003 Windows Command Shell WellMess can execute command line scripts received from C2.2
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding WellMess has used Base64 encoding to uniquely identify communication to and from the C2.1
enterprise T1005 Data from Local System WellMess can send files from the victim machine to C2.21
enterprise T1001 Data Obfuscation -
enterprise T1001.001 Junk Data WellMess can use junk data in the Base64 string for additional obfuscation.1
enterprise T1140 Deobfuscate/Decode Files or Information WellMess can decode and decrypt data received from C2.241
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography WellMess can encrypt HTTP POST data using RC6 and a dynamically generated AES key encrypted with a hard coded RSA public key.241
enterprise T1573.002 Asymmetric Cryptography WellMess can communicate to C2 with mutual TLS where client and server mutually check certificates.2413
enterprise T1105 Ingress Tool Transfer WellMess can write files to a compromised host.21
enterprise T1069 Permission Groups Discovery -
enterprise T1069.002 Domain Groups WellMess can identify domain group membership for the current user.1
enterprise T1082 System Information Discovery WellMess can identify the computer name of a compromised host.21
enterprise T1016 System Network Configuration Discovery WellMess can identify the IP address and user domain on the target machine.21
enterprise T1033 System Owner/User Discovery WellMess can collect the username on the victim machine to send to C2.1

Groups That Use This Software

ID Name References
G0016 APT29 24135