1. Home
  2. Software
  3. WellMess

WellMess

WellMess is lightweight malware family with variants written in .NET and Golang that has been in use since at least 2018 by APT29.[1][2][3]

ID: S0514
Type: MALWARE
Platforms: Windows
Contributors: Daniyal Naeem, BT Security
Version: 1.0
Created: 24 September 2020
Last Modified: 22 March 2021
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

WellMess can use HTTP and HTTPS in C2 communications.[2][4][1][3]
.004 Application Layer Protocol: DNS

WellMess has the ability to use DNS tunneling for C2 communications.[2][3]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

WellMess can execute PowerShell scripts received from C2.[2][1]
.003 Command and Scripting Interpreter: Windows Command Shell

WellMess can execute command line scripts received from C2.[2]
Enterprise T1132 .001 Data Encoding: Standard Encoding

WellMess has used Base64 encoding to uniquely identify communication to and from the C2.[1]
Enterprise T1005 Data from Local System

WellMess can send files from the victim machine to C2.[2][1]
Enterprise T1001 .001 Data Obfuscation: Junk Data

WellMess can use junk data in the Base64 string for additional obfuscation.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

WellMess can decode and decrypt data received from C2.[2][4][1]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

WellMess can encrypt HTTP POST data using RC6 and a dynamically generated AES key encrypted with a hard coded RSA public key.[2][4][1]
.002 Encrypted Channel: Asymmetric Cryptography

WellMess can communicate to C2 with mutual TLS where client and server mutually check certificates.[2][4][1][3]
Enterprise T1105 Ingress Tool Transfer

WellMess can write files to a compromised host.[2][1]
Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

WellMess can identify domain group membership for the current user.[1]
Enterprise T1082 System Information Discovery

WellMess can identify the computer name of a compromised host.[2][1]
Enterprise T1016 System Network Configuration Discovery

WellMess can identify the IP address and user domain on the target machine.[2][1]
Enterprise T1033 System Owner/User Discovery

WellMess can collect the username on the victim machine to send to C2.[1]

Groups That Use This Software

ID Name References
G0016 APT29

[2][4][1][3][5]

References

  1. CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020.
  2. PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.
  3. National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.
  1. PWC. (2020, August 17). WellMess malware: analysis of its Command and Control (C2) server. Retrieved September 29, 2020.
  2. NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021.