Skip to content

S0515 WellMail

WellMail is a lightweight malware written in Golang used by APT29, similar in design and structure to WellMess.12

Item Value
ID S0515
Associated Names
Version 1.0
Created 29 September 2020
Last Modified 09 October 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1560 Archive Collected Data WellMail can archive files on the compromised host.1
enterprise T1005 Data from Local System WellMail can exfiltrate files from the victim machine.1
enterprise T1140 Deobfuscate/Decode Files or Information WellMail can decompress scripts received from C2.1
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography WellMail can use hard coded client and certificate authority certificates to communicate with C2 over mutual TLS.12
enterprise T1105 Ingress Tool Transfer WellMail can receive data and executable scripts from C2.1
enterprise T1095 Non-Application Layer Protocol WellMail can use TCP for C2 communications.1
enterprise T1571 Non-Standard Port WellMail has been observed using TCP port 25, without using SMTP, to leverage an open port for secure command and control communications.12
enterprise T1016 System Network Configuration Discovery WellMail can identify the IP address of the victim system.1
enterprise T1033 System Owner/User Discovery WellMail can identify the current username on the victim system.1

Groups That Use This Software

ID Name References
G0016 APT29 123