S0515 WellMail
WellMail is a lightweight malware written in Golang used by APT29, similar in design and structure to WellMess.12
| Item | Value |
|---|---|
| ID | S0515 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 29 September 2020 |
| Last Modified | 09 October 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1560 | Archive Collected Data | WellMail can archive files on the compromised host.1 |
| enterprise | T1005 | Data from Local System | WellMail can exfiltrate files from the victim machine.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | WellMail can decompress scripts received from C2.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.002 | Asymmetric Cryptography | WellMail can use hard coded client and certificate authority certificates to communicate with C2 over mutual TLS.12 |
| enterprise | T1105 | Ingress Tool Transfer | WellMail can receive data and executable scripts from C2.1 |
| enterprise | T1095 | Non-Application Layer Protocol | WellMail can use TCP for C2 communications.1 |
| enterprise | T1571 | Non-Standard Port | WellMail has been observed using TCP port 25, without using SMTP, to leverage an open port for secure command and control communications.12 |
| enterprise | T1016 | System Network Configuration Discovery | WellMail can identify the IP address of the victim system.1 |
| enterprise | T1033 | System Owner/User Discovery | WellMail can identify the current username on the victim system.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0016 | APT29 | 123 |
References
-
CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020. ↩↩↩↩↩↩↩↩↩↩↩
-
National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020. ↩↩↩↩
-
NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021. ↩