WellMail is a lightweight malware written in Golang used by APT29, similar in design and structure to WellMess.[1][2]

ID: S0515
Platforms: Windows
Contributors: Josh Campbell, Cyborg Security, @cyb0rgsecur1ty
Version: 1.0
Created: 29 September 2020
Last Modified: 09 October 2020

Techniques Used

Domain ID Name Use
Enterprise T1560 Archive Collected Data

WellMail can archive files on the compromised host.[1]

Enterprise T1005 Data from Local System

WellMail can exfiltrate files from the victim machine.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

WellMail can decompress scripts received from C2.[1]

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

WellMail can use hard coded client and certificate authority certificates to communicate with C2 over mutual TLS.[1][2]

Enterprise T1105 Ingress Tool Transfer

WellMail can receive data and executable scripts from C2.[1]

Enterprise T1095 Non-Application Layer Protocol

WellMail can use TCP for C2 communications.[1]

Enterprise T1571 Non-Standard Port

WellMail has been observed using TCP port 25, without using SMTP, to leverage an open port for secure command and control communications.[1][2]

Enterprise T1016 System Network Configuration Discovery

WellMail can identify the IP address of the victim system.[1]

Enterprise T1033 System Owner/User Discovery

WellMail can identify the current username on the victim system.[1]

Groups That Use This Software

ID Name References
G0016 APT29