WellMess

Malware updated a month ago (2024-11-29T14:11:13.354Z)
Download STIX
Preview STIX
The WellMess malware, first reported by LAC and JPCERT in mid-2018, is a malicious software that stores the Command and Control (C2) IP addresses it uses in the binary as plaintext URLs. The C2 has limited functionality to relay information between itself, the WellMess backdoor, and presumably a further threat actor-controlled machine. This malware, along with its C2 software, enables threat actors to interact with victims in an offline manner and with a level of abstraction between the threat actor and the malicious software. Interestingly, the implementation details of Seaduke, another malware, share some similarities with WellMess, particularly in their use of encrypted cookies for metadata transfer and obfuscated base64 data in HTTP requests for communication contents. In July 2020, the U.S., U.K., and Canadian Governments jointly published an advisory revealing the Russian Foreign Intelligence Service's (SVR) exploitation of Common Vulnerabilities and Exposures (CVEs) to gain initial access to networks. They deployed custom malware known as WellMess, WellMail, and Sorefang to target organizations involved in COVID-19 vaccine development. GRAVITYWELL, the Recorded Future designation for server technology and TLS certificate configuration commonly used to host the SVR-linked WellMess backdoor, exemplifies such transient infrastructure. While there isn't definitive evidence tying WellMess to a specific threat actor, it shares design similarities with a previous tool called Seaduke, used by Blue Kitsune (also known as APT29), to whom the National Cyber Security Centre (NCSC) has publicly attributed WellMess. The operation of the WellMess server as an intermediate C2 aligns with the Seaduke model of using compromised third-party websites or infrastructure to host C2 servers. These act as staging environments to store commands and responses between the threat actor and the backdoor. The inclusion of mutual TLS in HTTPS communications with a self-signed CA ensures secure communication, preventing potential person-in-the-middle attacks on traffic between the server and the WellMess backdoor.
Description last updated: 2024-05-04T21:15:02.558Z
What's your take? (Question 1 of 3)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Exploit
Malware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The APT29 Threat Actor is associated with WellMess. APT29, also known as Midnight Blizzard and linked to Russia's Foreign Intelligence Service (SVR), is a notorious threat actor that has been implicated in several high-profile cyberattacks. The group has demonstrated sophisticated capabilities, exploiting vulnerabilities such as the WinRAR 0day flaw Unspecified
2
Source Document References
Information about the WellMess Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more